google_auth

My experience with Google’s 2-factor authentication

Authentication

All access-based secu­rity is unlocked by one (or more) of three things: what you have, what you know, or what you are.  The what you have case is easy to explain and under­stand.  The dead­bolt on my front door needs a spe­cific object — in this case a key — to open.  Access to a web­site or your email might depend on a user­name plus pass­word.  That pass­word is what you know.  Access to a high-security vault might be pro­tected by a fin­ger­print or retina scan­ner.  That’s what you are.  Unless you are part of Mission Impossible (or, ahem, have access to a gummy bear) you can­not have, know, and use some­one else’s fin­ger­print.

I can loan my key to a buddy, but once he returns it (set­ting aside the whole key copy­ing thing), he no longer has access to my house.  If I give out the com­bi­na­tion to the office sup­ply room’s lock, though, that is just infor­ma­tion and “infor­ma­tion wants to be free.”  I can tell some­one, who tells three more peo­ple, who tells three more peo­ple, and sud­denly there are no more post-it notes or pens.  Or if I am not care­ful, some­one can look over my shoul­der as I type in the door code, get­ting access that way.  You can’t “look over somebody’s shoul­der” for a copy of the key (at least, you couldn’t until recently or even more recently).  That’s the short­com­ing with pass­words.  They are sus­cep­ti­ble to being cap­tured and once they’re known, they’re known.

Online sys­tems that need a lit­tle extra secu­rity will some­times use a com­bi­na­tion of what you know + what you have instead of the base­line stan­dard what you know (i.e. your pass­word).  For instance, my bank requires not just a login, but needs a spe­cial cookie in my browser.  If I try to log in from a new com­puter, their sys­tem tele­phones me with an extra access code for con­fir­ma­tion.  Now, in an effort to thwart spy­ware and phish­ing, Google offers sim­i­lar 2-factor authen­ti­ca­tion.

Google’s 2-Factor Authentication

Google does 2-factor authen­ti­ca­tion through a com­bi­na­tion of your login (what you know) and a smart­phone app that gen­er­ates a unique 6-digit num­ber every minute that is spe­cific to you (what you have).  If you log in from a new web browser, you have to enter not only your user­name and pass­word, but a recent num­ber from the app.  You only have to do this once per browser and/or once every 30 days.  If you lose or break your smart­phone, they give you a wallet-sized print­out when you sign up of a dozen single-use pass­words that you can use to log in.  Using those, you can log in and turn off 2-factor authen­ti­ca­tion until you can oth­er­wise resolve the sit­u­a­tion.  And you can always gen­er­ate another wal­let card at any time (though I think it voids the pre­vi­ous card).

Enabling It

If you are using a Google Apps account, your domain admin­is­tra­tor will first have to enable 2-factor authen­ti­ca­tion on the domain.  This does not auto­mat­i­cally force it upon all users.  Individual users still must opt in and go through the con­fig­u­ra­tion steps.  Enabling it for the domain sim­ply gives users the option.


Next, you will need to go into your indi­vid­ual account set­tings and enable it for your account.


Enabling 2-factor will take you through a few steps.  First, it will point you to the required smart­phone app to install.  You will install it as one of the steps in the process.  In my case, it was Google Authenticator for the iPhone (iTunes Link).  Once you have that installed, it needs to be con­fig­ured to gen­er­ate your unique set of PIN codes.  With the iPhone, you take a photo of a bar­code that Google’s web­site dis­plays to you.  This con­veys a ton of infor­ma­tion to the smart­phone app.  If your device does not have a cam­era (e.g. an iPod Touch), you get past this step by man­u­ally enter­ing a bunch of infor­ma­tion.  Next, you are pre­sented with a wal­let card to print out and keep.  This card has a bunch of single-use codes to log in.  It is extra insur­ance in case your lose or break your smart­phone.

Yes, it is a lit­tle weird that Google want you to have a few pass­words WRITTEN DOWN!  That goes against every­thing you’ve been told about pass­words, right?  Don’t write them down on post-it notes and don’t hide those notes under your key­board.  On the other hand, there is a per­fectly secure sys­tem that has been used for cen­turies for keep­ing bits of paper safe.  Those bits of paper are green and have denom­i­na­tions printed on them such as $20.  If you keep a cou­ple of backup pass­words in the same spot, they will likely be rel­a­tively safe and secure.

Using It

Using it is easy, you just launch the app and enter the cur­rent code.

The codes each last one minute, but if one is about to expire you can hold off until the next one comes around.  The pie chart in the top-left cor­ner counts down the time remain­ing on the cur­rent code and turns red when it is nearly done.  If you do not have much time remain­ing, just wait until the next code appears.

Third-Party Apps

Not every­thing that con­nects to your Google account will under­stand two-factor authen­ti­ca­tion.  An IMAP mail client (such as the default Mail.app on the iPhone) has no way to ask you for that extra PIN code.  The same thing is true for a Google Reader client that wants to access your news­feeds or Google Voice app that makes phone calls using your account.  For these, you gen­er­ate single-use (“nonce”) pass­words.  You can have Google gen­er­ate one unique pass­word per app.  You see these pass­words once, long enough to type into the app, then they are lost for­ever.  The app can con­tinue using the same pass­word, but you have no way to retrieve it again.  If you must reset an app and re-enter your authen­ti­ca­tion infor­ma­tion, you will need to revoke the old pass­word and gen­er­ate a new one.  The UI and process for doing this is extremely easy.  Though the long pass­words are secure, they are also some­times a bit awk­ward to enter into the iPhone key­board.

Summary

Overall, I am happy with the 2-factor authen­ti­ca­tion expe­ri­ence at Google.  By design, such a process must be a lit­tle awk­ward — after all, you now have two password-like things to enter, one of which changes on its own — but their imple­men­ta­tion makes it sim­ple.  You only have to type in the extra code if you’re at a new browser or if it has expired, and it doesn’t expire for 30 days.  Setting up 3rd party apps is a one-time “set it and for­get it” task that con­tin­ues to work — you do not have to revisit it in 30 days.

If your Gmail is impor­tant to you and if you have the oppor­tu­nity to enable 2-factor authen­ti­ca­tion, then I highly encour­age you to do so.

 

Posted in: iPhone Software

2 thoughts on “My experience with Google’s 2-factor authentication

  1. My co-worker told me about two-step ver­i­fi­ca­tion or “tin­foil hat mode” as he calls it a while ago and thus far my expe­ri­ence has been very pos­i­tive. I will say that I use a LOT of apps that need my Google account — chat clients, mail clients, Chrome (sync) and the like on my phone, iPad, home com­puter and work com­puter — but as you described, the process isn’t too bad. I found copy­ing and past­ing on the mobile devices worked bet­ter than try­ing to type them in.

    Anyway, great write up on it!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>