
Please turn on two-factor authentication - cleverjake
http://www.mattcutts.com/blog/google-two-step-authentication/
======
avar
Something Google could to do drastically improve the security of their two-
factor authentication system is to add the ability to give more granular
permissions with the application-specific passwords.

I have an application that only needs to send E-Mail through my GMail account
(git-send-email), another that only needs to write to one specific GMail label
(Android SMS Backup), and Google Chrome surely doesn't need access to
_everything_. But you'd get full access to my account if you compromised any
of these.

They already have this for the Connected Sites, Apps, and Services. I sent
them a feature request for this a while ago but it hasn't been answered (and
there's no way to view it online).

~~~
estel
I didn't think Chrome any longer required an ASP?

~~~
gecko
It still does; I had to go through this yesterday. I don't mind Chrome so much
_per se_ , but this also means you need an application-specific password for
Chrome OS, at least for he initial sign-on, which I find oddly frustrating.

~~~
jrockway
It does if you set up the sync account via the Settings page, but if you
ignore the request to sign in, visit some Google page that requires login and
log in, Chrome will produce a yellow bar at the top of the screen asking if
you want to use that account for Chrome sync. Click yes and you don't need to
sign in any further.

------
JunkDNA
I was worried this would be a major pain when I enabled it, but I have to say,
it has been much more painless than I thought it would be. Most of the time, I
don't even think about it. Most of my consumption of google mail is through
clients on my laptops, iPhone, or iPad. So in that sense, it's not much
different from a regular password. The difference is that someone _else_ has a
much harder time cracking my account. It's actually much less obtrusive than
using lastpass (also highly recommended, but not as transparently usable).

That being said, two factor google auth wasn't going to save Matt Honan here.
Identity, trust, and authentication on the internet are all built on a
foundation of sand. We need a new model.

~~~
loeschg
I used two-factor authentication for about a year, and I just got so sick of
it. I had no issue with the whole logging in and using the time-sensitive code
from my Android phone. It was the support for all the other Google apps that
drove me crazy. I got really tired of needing to generate new temporary
passwords for access through iCal, Mail, and I think even sites like
StackOverflow. Perhaps I was at a point in life where I had too many new
devices and changes going on.

It's the typical security vs accessibility trade-offs. Accessibility won.

~~~
wccrawford
Plus, don't the special passwords for specific apps (that don't use 2-factor
auth) violate the whole point of 2-factor in the first place?

Now, you've got several passwords that work, instead of 1 and a keyfob. Ugh.

Edit: Apparently, you can't log into the web interface with those passwords.
That's a step in the right direction, but still not fully secure.

~~~
FaceKicker
The app-specific passwords are a feature and if you prefer the extra security
over being able to use apps that don't support 2-factor, then you can choose
not to use them, and get the full security benefits of 2-factor. It's just
that, short of expecting every single third-party client app to implement
2-factor authentication or not allowing access to any that don't, there's no
alternative to the app-specific passwords.

They are strictly better than using a single password for everything though,
in that they are unique and strong (due to being automatically generated and
16 characters long), and easily revocable.

~~~
Evbn
Non-web apps don't have a UI for two-factor. App-specific password is a
compromise, which is vulnerable if someone steals your local installation of
the client to get its keys.

~~~
FaceKicker
Right. Did I say something contradicting that? Google could have decided not
to offer application-specific passwords at all, but from any individual user's
perspective, that's exactly equivalent to just not using them. At least having
application-specific passwords gives you the option, and is at _least_ as
secure as giving your master password away to every client application.

I suppose there is one possible negative consequence to users who opt not to
use app-specific passwords: their existence alone removes some of the
incentive for client applications to implement 2-factor themselves (which I
don't know if Google even has an API for). And sure, it would be nice to have
features like access control on a per password basis (e.g., so I could allow
Pidgin to access only gchat, but no other part of my account). But the
implication that the mere existence of application-specific passwords somehow
makes Google's 2 factor auth useless is just wrong.

------
Karunamon
The reason I'm not using 2FA right now is twofold. First, because Google
doesn't have half of their services using it for some undefined reason (for at
least a year plus!). Also, the whole "app specific password" thing is a huge
pain in the ass. (And appears to randomly stop working on say, IMAP mail).

Second, because the mobile authenticator is not feasible for me right now. I
do a lot of android development work (well, mostly screwing around, but we'll
call it work) on the side, with the result that I'm wiping my phone for
romflashes at least once a week. Makes everything going through a mobile app a
little useless.

I really wish Google would support a hardware token of some kind.

~~~
smackfu
Yes, can someone explain why Google Chrome doesn't support 2FA on the desktop
or iOS? It's bizarre.

(Well, I suppose it's tragically normal. I'm sure there is a corporate
directive that says every Google service must support 2FA, but Chrome has an
exception so they don't need to do it yet.)

~~~
mithaler
Dunno about iOS, but Chrome does on the desktop; it asks you for an
application-specific password when you turn on sync.

~~~
smackfu
OK, but it should be asking your for an authenticator code instead. It uses
this bizarre "normal password + app specific password" requirement that isn't
used anywhere else.

~~~
gergles
Your data is encrypted with the normal password, so it needs it to decrypt the
sync data. The App-specific password is used to log in to the server to GET
the sync data in the first place.

~~~
Karunamon
So again, why not have the authenticator instead of the app password?

------
Lagged2Death
Am I the only person in the world who doesn't have a cell phone? It annoys me
that the two-factor auth setups at sites (like Google) assume I have one and
don't even have an option for "I don't have a cell phone, please stop nagging
me about this."

~~~
nodata
Yes you are, and I suspect you know this. Even in most third world countries
cell-phones are common.

~~~
acqq
Still, if I plan to use Google Authenticator, I don't want to give Google my
phone number at all. When they insist to get the phone number from me, I don't
like it.

~~~
pooriaazimi
I don't think you need to get them a phone number. I use Google Authenticator
app on my iPhone, and didn't give them anything. It just scanned a barcode on
a webpage IIRC.

~~~
zumda
The bar code was actually just a code to initialize the code generation (I
think it is based on that randomly generated seed and the time, so that then
server and client generate the same keys). You could have also typed in the
code by hand.

~~~
pooriaazimi
You're absolutely right. My parent was talking about giving Google his/her
phone number, which I was responding to :)

------
zumda
I'm always dumbfounded when these topics come up and a lot of people start
saying how inconvenient it is, that it is all wrong. But these are probably
the same people which later accuse Google that they didn't do enough to
protect their accounts!

Yes, two factor authentication is a small hassle. Yes, two factor
authentication requires a bit to set up. But do you realize how much actually
depends on your email account being safe?

For one, how many times did you use Googles OpenID provider? Yes, that's your
Gmail account! Or for how many services did you use your Gmail account as the
email address? You know that password resets go to that account, right?

Don't do that? Maybe you use Google Calendar, then. So yes, there is actually
a lot of sensitive data in there. If you don't believe me, try to get a hold
of a friends calendar, and see what you can guess about that person just from
the calendar.

Or should someone just post some slander about you on you G+ profile? Or buy
some apps from the Android Market? Of course this things never happen to
you...

So just take the time to, besides looking at the time or the latest message on
your phone, open that stupid app and type that stupid code in! It's not THAT
much work!

------
cs702
Two-factor authentication improves security, but cannot solve the online
security problem for most people, because the vulnerabilities are primarily
CULTURAL: the average person does not understand the risks nor what they could
do to ameliorate them.

Compare the attitude towards security that people have in the physical world
with their attitude online. No sane person would ever want to use the same
exact key to open their home, car, desk, safety deposit box, etc., because
that would obviously be unsafe. Yet most people today will happily use the
same easy-to-remember password for all online accounts without giving it a
second thought.

Similarly, no sane person would ever lend their wallet and keys to a stranger,
because that would obviously be unsafe. Yet most people today will happily
walk into an Internet cafe or hotel business center and enter all their online
credentials without giving it a second thought.

Providers of online services like Google, Amazon, Apple, etc. will find it
difficult to solve the security problem until society has evolved its
understanding of, and attitude towards, online security.

\--

Edit: softened the tone of the last paragraph to make it more accurately
reflects my views.

~~~
sigkill
I do agree with you on the key analogy but there's a security breach there as
well. Most of the keys are generally found on the same keyring. So, in effect
it's identical to using a single password.

~~~
cs702
That's true only to some extent: people keep on their keyring only those keys
they need for daily use. Less frequently used keys (e.g., keys to a safety
deposit box at the bank, keys to a home safe, keys to a second home) are
typically stored in a drawer, a closet, or a safe.

Also, note that having different keys means one can give copies of different
keys to different persons for different purposes -- e.g., copy of the home key
to a baby sitter, copy of the desk key to a co-worker, copy of the home key to
trusted neighbors.

People today intrinsically understand that they have to be mindful about whom
they lend their keys to, who gets copies of their keys, and where the keys are
stored.

~~~
maxerickson
On the other hand, typical house locks are (apparently) only locks by way of
cultural convention.

(I say apparently because the ease of using things like bump keys is pretty
widely publicized but I have never actually tried it myself)

~~~
dredmorbius
Conventional locks _are_ far less secure than most people would realize.

That said, your house isn't directly connected to 2.26 billion people who can
make hundreds (or thousands or billions) of bump-key attempts per second.

~~~
sigkill
In that respect it's like a bcrypted safe with a 4 character password and
limited bandwidth.

------
andyakb
really surprised so many people that post here refuse to use google
authenticator because its "annoying." is it a hassle? yes, but if you have
ever had your email (and other accounts) compromised you understand why it is
worth that small 5 second hassle when you login.

one feature that i cannot understand why it hasnt been implemented though is
protecting the app itself with a password or pin. some people say to just
protect your whole phone, but i dont really want to do that because to me that
_is_ too large a hassle. if i lose my phone i can revoke access to my email
and other similar apps, but not if the person that finds it opens up google
authenticator (which shows the account the id is used for) and logs in to
change the password before i have a chance to. even just allowing for it to
display an account nickname instead of full login would be a huge step forward

~~~
sp332
It's not a 5 second hassle. I don't get a cell signal in the steel gymnasium
even though the wifi works fine. I physically have to go outside to get a code
every time I want to log in. And then if my phone is not working, or I leave
it at home, I'm screwed.

~~~
fr0sty
FTA:

You can install a standalone app called Google Authenticator (it’s also
available in the App Store), so your cell phone doesn’t need a signal.

Also:

You can print out a small piece of paper with 10 one-time rescue codes and put
that in your wallet. Use those one-time codes to log in even without your
phone.

~~~
sp332
Hm, can you generate new codes whenever you need to? It might be cool to use
these 10 at a time as a one-time pad.

~~~
prawn
Yes, you can revoke those printed codes or issue more whenever you like.

------
mike-cardwell
Somebody should set up a website dedicated to listing organisations and what
information is required in order to obtain access to an account at that
organisation.

------
OoTheNigerian
Like the second class citizens of the web we are, Nigeria does not have 2
factor authentication.

Ghana, Pakistan, Iran, North Korea, Russia, all have 2 factor authentication.
Why not Nigeria? This is just another example why being Nigerian is kinda hard
on the internet.

<https://accounts.google.com/b/0/SmsAuthConfig>

[http://oonwoye.com/2011/01/23/life-as-a-second-class-
citizen...](http://oonwoye.com/2011/01/23/life-as-a-second-class-citizen-of-
the-web/)

~~~
nodata
> Why not Nigeria?

Can Nigerians use the Google Authenticator app?

If yes, then the answer is probably high SMS costs.

~~~
OoTheNigerian
High SMS costs?

It is exactly why I put the range of countries above. Can we be in a worse
situation than them all?

~~~
nodata
Then why? Lack of demand? Market not interested? Support costs too high?

------
robomartin
All this talk about security and multiple authentication levels yet, your
browser --if you use Chrome-- is the worst security leak in a persons digital
life. It would take almost anyone a minute in front of a computer to fire-up
Chrome and have every single login and password available in plain text.

I've written about this before and so have countless of other techies. A non-
techie has not a single clue, making them perfect victims. Any number of
scenarios can be imagined: From taking your laptop in for repairs/upgrades to
someone gaining physical access to your machine for just a few minutes. And,
just like that, your digital life is turned upside-down.

~~~
danweber
I think most people are aware that the passwords saved in their browser are,
well, saved in their browser, and if someone unkind gains access to the
browser they gain access to all the sites with saved passwords.

~~~
robomartin
The point is that Chrome doesn't even make an attempt to slow down potential
thieves. And, while I understand that absolute security is impossible, Chrome
makes it so even a technology neophyte can steal your digital life with a few
minutes of low-effort point-and-click action.

I use Chrome all the time. As a developer I am keenly aware of the issues and
manage the risk. I will not allow anyone in my family to use Chrome because
the potential security leak could have dire consequences.

------
mike-cardwell
I hear a lot of people advising to turn on two factor auth on Google because
of this incident, but I haven't heard anyone say that we should be deleting
our card details from Amazon. Well, I have, and you should too. Lots of places
use the last 4 digits of your card as "authentication", and Amazon happily
displays those details in your account.

~~~
bcl
Note that they had to break into the account in order to view those last 4
digits. You seem to be implying that they show them to anyone.

Either way, using the last 4 digits as 'security' is just stupid. You can get
those from a receipt.

~~~
danso
* Edit: Ah, technically they did break into the email account. The first time I read this I thought that they just had access to the account info page (doing things, such as purchasing or accessing account settings, requires password-entry by Amazon)

No, they did not have to break into the Amazon account.

[http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-
hona...](http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-
hacking/all/)

> _First you call Amazon and tell them you are the account holder, and want to
> add a credit card number to the account. All you need is the name on the
> account, an associated e-mail address, and the billing address. Amazon then
> allows you to input a new credit card. (Wired used a bogus credit card
> number from a website that generates fake card numbers that conform with the
> industry’s published self-check algorithm.) Then you hang up._

> _Next you call back, and tell Amazon that you’ve lost access to your
> account. Upon providing a name, billing address, and the new credit card
> number you gave the company on the prior call, Amazon will allow you to add
> a new e-mail address to the account. From here, you go to the Amazon
> website, and send a password reset to the new e-mail account. This allows
> you to see all the credit cards on file for the account — not the complete
> numbers, just the last four digits. But, as we know, Apple only needs those
> last four digits. We asked Amazon to comment on its security policy, but
> didn’t have anything to share by press time._

~~~
npsimons
_But, as we know, Apple only needs those last four digits. We asked Amazon to
comment on its security policy, but didn’t have anything to share by press
time._

Wow. That's really bad. I mean, it's stupid that Amazon allows that sort of
thing (and it sounds like they may be working to fix it). But Apple going off
just the last four digits? That's straight up _retarded_. Why isn't anyone
asking about Apple's security policies? Thank Sagan I'm not an Apple customer.

~~~
sigkill
Why is it stupid for Amazon to show the last 4 digits? Let's say I have 3
cards on file. If I want to modify card #2 for some reason (billing address,
expiry date) what do I do? Sure, I can look at the other details and take a
guess, but we're on HN. On an average, the normal customer would get
frustrated.

~~~
abraham
> Why is it stupid for Amazon to show the last 4 digits?

I think npsimons was saying that it is stupid for Amazon to let you add a fake
cc number and than take over an account using that same fake number. Not that
they show the last 4 digits.

~~~
sigkill
Ah well, then I stand corrected. So, now the question becomes, should you be
allowed to add credit cards over the phone? Or does it become, how long should
Amazon wait until they accept the new credit card as a valid ID?

For the second question, I'd say Amazon should wait until the user "confirms"
the credit card. That is to say, send the user an email stating "Hi! New
credit card added to your account. Click here to verify".

~~~
abraham
They could do pre-authorizations on the card to make sure they are valid and
match an address on file.

~~~
sigkill
That's a good point. But wouldn't prepaid cards defeat this? I'm not an
American so I don't know how the address verification on prepaid cards work.

------
billpg
Is there a way to use a separate hardware device? Using my phone as the second
factor is nice, but my phone is vulnerable to theft because of its value for
resale.

A sealed gizmo that shows a number just looks like an el-cheapo souvenier.
Without knowing my username and password too, it really is worthless.

~~~
jsight
The linked article mentioned this:
[http://static.yubico.com/var/uploads/pdfs/Howto_GmailYubiKey...](http://static.yubico.com/var/uploads/pdfs/Howto_GmailYubiKey.pdf)

YubiKeys are relatively cheap and would provide a nice alternative to using a
phone, IMO.

------
nicholassmith
I'm sure someone is probably working on this, but what about a service that
generates a one off seed for the second stage of auth, married with either a
desktop or smartphone app for generating it for the user. Lose your
phone/laptop/PC simply cancel it remotely so it stops generating, same as you
would if you lost your bank card.

I'm sure I'm missing something, but I'm not sure what.

EDIT: I'll let the post stand but I need to read more clearly, I thought
Google Authenticator was purely for Google services.

~~~
lreeves
You can actually authenticate against the GA product from any system - hook it
into PAM for sshd access, use it for another factor in OpenVPN, or even just
wire it into Apache:

<http://code.google.com/p/google-authenticator-apache-module/>

------
smackfu
>Reality: You can tell Google to trust your computer for 30 days and sometimes
even longer.

How is that "even longer" part supposed to work? I have a desktop Mac that
prompt me every 30 days to re-logon to GMail in Safari. Is there a way to add
it to the trusted computer list?

~~~
sundarurfriend
The image linked from there says it's a new feature. I couldn't check it even
by logging out of my account and logging in again (this doesn't deauth the
computer? didn't know), so not sure if it's available for everyone yet.

------
dendory
I would add to that: Web developers, please implement two factor auth for your
own apps as well. It takes minutes, literally, to add support for the Google
Authenticator to your own app. I made a demo a while back inside of an hour.
<http://dendory.net/twofactors>

~~~
danweber
That is very helpful. I'm going to be proposing this to work very soon thanks
to you.

------
xfax
Two-factor auth gets old really fast when you have to use public computers in
a setting like a college library. I had turned it on for a while, but turned
it off when I had 5 minutes to print out a paper that I had emailed myself
(yes, I still do that) and was fiddling with my phone to get the damn PIN.
Never again.

~~~
alfiejohn_
Maybe it's just me but I only trust computers I control.

If you don't have root on a box, consider it pwn3d with keyloggers listening
to every juicy password you type. Take that as your friend's laptop, a library
computer or even your parent's Windows XP box...

Trust no one, Mr. Mulder.

/tinfoilhat

~~~
rryan
You trust computers you control? That's so cute.

<http://cm.bell-labs.com/who/ken/trust.html>

~~~
alfiejohn_
True, but you can only go so far down the rabbit hole until you think you've
done enough due diligence to remove as much risk as you feel comfortable with.

------
oddthink
I did this a few months ago, but I'm thinking of turning it off. I know it's
trivial, but there's something deeply annoying about being dinged $0.20 a pop
for the SMS message to get the code.

I'll have to see if I can set up the Google Authenticator; I hadn't heard of
that before.

~~~
yock
Even without GA (which, if you have an Android or iPhone, I don't see why
you'd have to be without) $0.20 a month seems an incredibly small price to pay
for the benefit of 2-factor auth.

~~~
oddthink
I know, it's irrational, but it adds an extra annoyance factor, far more than
it should. I mean, I spend far more every time I take the subway somewhere.
Driving across the GW bridge costs $12, and I don't worry myself about that.

It turns into four or five SMS every month, when I usually average zero
(various computers, various browsers, etc.) So suddenly, there's this line
item where there used to be none. I can't explain quite why it bugs me.

In any case, I hadn't heard of GA before. I've installed it and life is good.

------
mistercow
It's a good idea, but it's not the weakest link in user security right now. It
does very little to solve problems like Apple positively identifying people
based on totally insufficient and publicly available information.

~~~
acdha
> It's a good idea, but it's not the weakest link in user security right now

I suspect Google is in a better position to judge how widespread account
compromises are than you are. From my perspective, it definitely seems like
security people are all saying that account compromises (keyloggers, phishing)
have been the predominant threat for several years now because they're
suitable for bulk attacks whereas social-engineering Apple is a more limited,
if deeply disturbing, process.

~~~
mistercow
>I suspect Google is in a better position to judge how widespread account
compromises are than you are.

There are a couple of problems with that reasoning. First off, I don't see
where anything Google has said contradicts my point. Yes, MFA is a good idea.
But that doesn't mean it's enough to prevent attacks like the one in question.

Secondly, Google is not an unbiased source on this matter. For cloud services
to succeed (which Google is banking on), it is very important that people
perceive that they (the people) have some kind of control over their own
security. It is reassuring to hear "here are some steps you can take to make
yourself safer". It is terrifying to hear "your security ultimately hinges on
the competence of some of the lowest-paid employees of the faceless
corporations you rely on".

Both of those statements are true, but you're never going to hear the latter
emphasized by Google or any other company heavily invested in the continued
success of cloud based services. (Which is not to imply that they are
dishonest; bias is usually as more about delusion than deception)

~~~
acdha
My point was simply that Google sees enough attempts to compromise Gmail
accounts that I believe them when they claim widespread attacks using valid
passwords are common enough that passwords are broken.

> Yes, MFA is a good idea. But that doesn't mean it's enough to prevent
> attacks like the one in question.

It would have stopped this one, in several ways: according to Honan's writeup,
it would have halted things at a key point in the chain of account
compromises. Yes, it's true that you have to trust companies - but that's
always been true, even 100% off-line, as any victim of identity theft could
tell you. The key point is that having any sort of MFA schema would have
contained the damage to one company, halting the cascade.

------
smackfu
OK, so I turn on two-factor authentication for GMail, but...

1) I immediately have to create a application specific password to actually
read my mail on my iPhone.

2) If anyone ever gets access to that secret password, or any of the others I
create, they have full access to my email and any password resets they
generate.

3) I will have no idea this is happening since I would expect my mail to
access that app password daily.

So your fancy two factor authentication still ends up resting on one piece of
secret info as the weak point. Am I missing something?

~~~
acdha
> So your fancy two factor authentication still ends up resting on one piece
> of secret info as the weak point. Am I missing something?

Yes: that email password cannot be used to change your password, cancel your
account, etc. and can be revoked easily without breaking anything else. This
also means that you're not entering the password which can do all of those
things on a daily basis, further reducing the odds of someone else being able
to capture it even if they do manage the total local compromise or strong SSL
MITM needed to get your ASP.

Security is all about incremental improvements, not silver bullets.

~~~
smackfu
>This also means that you're not entering the password which can do all of
those things on a daily basis,

Before two-factor, were you really typing in your GMail password on a daily
basis?

I mean, I certainly don't deny that two-factor is much safer if you can
actually use it, like on the GMail site. I just worry about the big holes that
application passwords punch in that wall. All it takes is one application
sending your password in non-SSL when you are connected to an insecure wi-ifi,
and you are hosed. Is every Google login for every service SSL only?

~~~
staticfish
Exactly. Let me know if you find an answer to this.

I have a policy where I will only add a generated application-specific
password to really trusted applications (internal OS apps mail, calendar etc),
and have gone as far as to sniff all traffic for each of these apps.

------
revjx
I've been avoiding doing this, and I'm not certain the reason is valid - I
don't want Google to have my mobile phone number. Perhaps I'm being overly
cautious, but the fact Google already collects such a huge amount of data on
me, coupled with the increasing insistent requests to enable two-factor with
my mobile phone number, has made me not do it. I got so sick of being pestered
about it that I stopped using Gmail a little while ago.

~~~
jarito
You don't need to enter your phone number to use Google's two factor. You can
use their smartphone application to generate codes. If you don't want to do
that, the algorithm is free and open-source so you can probably find an
alternate implementation that works fine.

~~~
revjx
As far as I'm aware, it's not available on Windows Phone 7.

~~~
icebraining
Not GA itself, but there are compatible implementations:
[http://www.windowsphone.com/en-
US/apps/021dd79f-0598-e011-98...](http://www.windowsphone.com/en-
US/apps/021dd79f-0598-e011-986b-78e7d1fa76f8)

------
peterwwillis
Here's why I don't use two-factor authentication for my Google accounts.

It's not worth it.

I don't run a business. I'm not a celebrity. I don't keep confidential
information in my e-mail. And I don't register all of my various accounts at
sites around the web to just one e-mail address. If someone got access to one
of my e-mail accounts it would probably be a general-use one, and quite
honestly it wouldn't affect me much.

It's also annoying to have to verify every time I log in. I probably log in
more often than most people. When my browser session ends, all my cookies,
cache and history are erased (not because i'm paranoid, but to help guard
against CookieMonster, history probing and similar attacks on sites that don't
do secure browsing right). Even though it may only be occasionally, having to
go find my phone to authenticate the login takes away from my browsing
experience, and I don't find the tradeoff worth the hassle.

It doesn't help that Google's authenticator medium is SMS. As a hacker, I find
there's way too many avenues to intercept the token (not the least of which is
an already-logged-in Google Voice session!). I like the idea of using a
YubiKey, but if I have to stick the device into my computer, it's annoying. I
prefer plain-old tokens like RSA's SecurID or the PayPal token (I got mine
when it was still only $5). But it's not automatic. I have to do a bunch of
work to set it up, and i'm lazy.

At the end of the day, even once you set up two factor, a good attacker will
_still_ get past it if they really want to. Separation of accounts will go a
lot farther towards keeping your digital self safe than putting all your eggs
into a two-factor single-account Google basket.

Edit: This post has encouraged me to pay the $20 for Bank of America's
SafePass Card, which I consider to be much more secure than an app or sms.

~~~
fr0sty
Please, please, please, please RTFA before ranting.

SMS is not required (you can use the google Authenticator App).

The Authenticator app works just like a "plain old token".

Separation of accounts means squat if your passwords are intercepted. 2 factor
auth requires physical access and reduces the possible pool of attackers from
billions to hundreds.

~~~
nagisa
You still need to hunt for phone (on top of that you must have one) to log
in...

~~~
peterwwillis
That, and I don't trust "an app." The whole reason I want a second factor is
to get away from computers as primary authentication mediums, and a smart
phone is a computer.

I don't think anyone realizes how much malware is in the Android marketplace.
And that's beside the malware that vendors and carriers install on there by
default. _Do not trust your phone._

~~~
teraflop
The Authenticator app is open-source [1] and extremely minimal. It doesn't run
with permissions to access any data on the phone, or even communicate over the
network; all it does is read the system clock every 30 seconds and compute an
HMAC.

[1] <http://code.google.com/p/google-authenticator/>

~~~
peterwwillis
The app isn't what worries me, it's what else is running on the phone. Android
malware comes in the form of a rootkit, usually, which means it has total
control over your device.

Not scared? How about this article[1] from over a year ago, which details over
50 apps in the Marketplace using a rootkit which not only controls anything
you do, but can download new code to keep changing at a whim?

[1]
[http://www.guardian.co.uk/technology/blog/2011/mar/02/androi...](http://www.guardian.co.uk/technology/blog/2011/mar/02/android-
market-apps-malware)

------
coffeecheque
I really hope other services start offering it as a feature.

Namecheap, I'm looking at you. DNS web apps are a huge possible attack vector.

Also, RE the Google one time use passwords for POP/IMAP. They are all lower
case, alpha/numeric, and 8 chars long.

How secure are they against brute force? Why wouldn't Google offer 16 char
options, or even longer? Is 8 good enough?

~~~
zapman449
the application specific passwords are 16 characters long. Four blocks of four
lowercase characters.

I too would rather them be longer, and involve at least some numbers if not
specials... but they're not THAT short.

~~~
coffeecheque
Really? I was sure it was only 8 when I went through the process 2 weeks ago.
2 lots of 4.

Time to go and generate some new passwords!

~~~
pooriaazimi
Hmmm... I generated a batch about 2 months ago and another batch last week. In
both cases, they were of the form

    
    
        llll llll llll llll
    

(l: [a-z])

~~~
coffeecheque
Happy to stand corrected. My apologies all round.

Thanks everyone!

------
dredmorbius
Just answer me this: why does Google insist on using a phone for this?

Really: the company's got far too much personal information on me. Pick
something _else_ I can use. An OTPG (similar to the RSA keyfob), say.

Added bonus: this gives a pathway for _other_ services to also offer 2-factor
auth.

~~~
pnathan
From what I understand, a phone number is close to a primary key to people in
the US these days.

------
smountcastle
I did this but was expecting more from Google. As an example, it was easier to
add two factor auth to my Blizzard account (and install their authenticator)
than it was for Google. These are the steps for Google: \- Add mobile phone to
account \- Enter code from SMS \- Generate random passwords for multiple apps
which don't support two factor auth (this took awhile). \- I wasn't given any
instructions on how to switch from SMS to Google Authenticator app so I had to
search for those instructions and then set that up.

Granted Blizzard controls the entire experience, they're not dealing with 3rd
party apps, but it seems like Google could make this easier. And once it's
trivially easy to setup, then it can be made the default.

~~~
brown9-2
The difference is, as you mention, that for your Blizzard account there is one
app that needs to be changed to use 2FA, whereas with Google you are using
your account from dozens of apps that they do not control and that can not be
made to support the 2FA login process. It's an unfair comparison.

------
3amOpsGuy
Browser compromises are the one I worry about. A remote attack that reveals
everything your browser has or knows.

I've been using 2 factor on google for a year or so now. It's not perfect -
especially the ways it can be disabled - but it's better than the status quo
for now.

------
pikewood
I'll propose a sideways solution: implement an "Administrator" mode on these
accounts that requires separate authentication--perhaps enforcing two-factor
authentication there.

There are many complaints about how Microsoft didn't protect Windows users
enough because everyone had administrator access as a default. But isn't that
the same problem with these Google and Apple accounts? With your standard
account, you can change your password, delete all data, and do many other
damaging acts.

I don't really want to enter in multiple pins/passwords each time I read
email. But I would be more than fine doing so before being given the ability
to damage my account.

------
tammer
Quick question for all you security experts:

Which is more secure: LastPass with 2factor, or a gpg encrypted password safe
on my home server accessed by a passphrase-locked rsa-encrypted key?

I've been trying to decide for the past few weeks. Copying and pasting
passwords isn't as annoying as I thought it would be, and it seems like
keeping my pwsafe locally reduces the attack vector of the LastPass servers.

Then again, it's in LastPass's absolute interest that my info never gets
leaked, and they've built up a good reputation. Further, at a public terminal
my usb drive would need to be connected while I unlock the key, thus possibly
exposing my unencrypted key.

Any ideas?

~~~
mike-cardwell
LastPass is only one persistent XSS flaw away from having your password store
completely compromised. I found a non-persistent one last year which exposed a
lot of information about you, but not your password:

[https://grepular.com/LastPass_Vulnerability_Exposes_Account_...](https://grepular.com/LastPass_Vulnerability_Exposes_Account_Details)

Specifically it exposed your email address, your password reminder, the list
of sites you log into and the history of your logins, including which sites
you logged into, the time and dates you logged into them, and the IP addresses
you logged in from.

EDIT: I used to use LastPass but now I use a GPG encrypted file, which I sync
between machines. I set up a simple helper script so I can just type for
example "password facebook" at a terminal and it will do a gpg --decrypt on
the text file, grab the facebook password, display it, and also copy it into
my clipboard for ten seconds.

~~~
tammer
Thanks for the detailed info!

Combined with two-factor ssh auth[0] for using a public connection, looks my
gpg file is the perfect solution.

[0] <http://news.ycombinator.com/item?id=3029680>

------
dholowiski
Sigh, OK. I'm turning it on today. Was going to do it right now, but then I
realized that I'm at Starbucks right now... probably not the best time to be
messing with passwords.

------
macspoofing
Do you trust the minimum wage customer service reps of your phone company to
not be susceptible to social engineering?

Two factor-auth, via SMS, may not have saved Matt Honan.

~~~
ConstantineXVI
Use the app, it's not vulnerable to such an attack.

Or buy a prepaid phone, and don't use the number for anything else.

------
T-R
I use 2FA, but it's an absolutely frustrating experience. Most apps just don't
support it. Google Music Manager requires a trip to accounts.google.com for a
new App Specific Password every time I restart my computer, whereas Swiftkey
just loses its ability to offer suggestions until I manually re-authenticate,
which takes several minutes every time it happens, while I wait for an SMS and
switch between apps.

~~~
abraham
Sounds like something is wrong with your computer. I set up Music Manager
months ago on two different computers and they have been humming along fine
ever since.

------
larsberg
It seems to work well with Firefox and Safari, but I've found that two-factor
auth doesn't work well with Chrome if you've set it to clear cached files (not
cookies) on exit. For some reason, that setting causes Chrome to lose the
30-day permission, so every time Chrome crashed or I rebooted my machine, I'd
have to go through the SMS dance. Doesn't happen with the similar setting in
Firefox.

------
joshstrange
Well I turned on two-factor authentication and then updated Sparrow (iOS and
OS X) with the new password and everything was fine... Until the iOS version
constantly kept telling me I had an incorrect password. I tried various
troubleshooting tips online but to no avail. Until I can use this with
everything I can't use it at all.

------
OriginalSyn
The only time I regret turning on TFA is when I'm laying in bed with my laptop
and my phone is slightly out of reach.

------
the1
turned it on. was so annoying that i removed google accounts.

------
jonknee
What's the status of Google's two-factor authentication with Sync (Exchange)?
Last time I tried it was a mess and the added security was not worth the
hassle of not having everything pushed and kept up to date.

------
kernel_sanders
I'm glad this is on the front page again. I just set mine up. thx internet.

------
andrewcooke
is there an authenticator that can run on my computer? i see an android app -
is there something similar that can run on linux?

or does that defeat the purpose because it's not going to be a push
notification? (if so, anyway to fix that?).

i'm not normally mobile. if i _am_ travelling and need gmail, i will have my
laptop. i don't have a smartphone and my dumbphone won't work abroad.

EDIT2: oops. ignore previous edit. that was using Google to connect to linux.
Not vice-versa.

~~~
subsection1h
Here are a few implementations that supposedly run on Linux, but I haven't
tried them yet:

<https://code.google.com/p/cuteauthenticator/>

<https://github.com/mclamp/jauth>

[http://blog.jcuff.net/2011/02/cli-java-based-google-
authenti...](http://blog.jcuff.net/2011/02/cli-java-based-google-
authenticator.htmllinus)

Also, Android can apparently be run in VirtualBox, but I haven't tried that
yet, either:

<http://www.buildroid.org/blog/?page_id=121>

~~~
andrewcooke
thanks.

the first link makes the valid point that it's not that smart to run this code
on the same machine used to access the service (if that machine is compromised
then the "two factor" aspect becomes a single, compromised factor).

so i guess maybe what i was planning is not so good an idea. on the other
hand, maybe it's better than nothing.

------
MatthewPhillips
Question: How many designers/UX people were in the first meeting about two-
factor authentication at Google? How many security engineers?

------
JohnBooty
I turned it on. Had been meaning to for ages, but never did. Thank you, Mr.
Article Writer.

------
Kiro
I just turned two-factor authentication on and it forced me to set "program
specific" passwords for like 10 different apps and seriously messed up my
phone. I had to deactivate it. What's with the hassle?

~~~
maxerickson
For the second factor to mean anything, all the apps that don't support it
need a password that has less rights.

Hopefully they figure out a nice way to make the rights more granular (so that
a chat app can't mess with email or whatever).

~~~
sp332
Do those passwords have less rights? I figured that if _any_ of those
passwords got compromised, you were screwed (until you found out which one and
revoked it).

~~~
maxerickson
A little less. They can't be combined with the 2nd step verification to make
changes to settings that require 2 step verification.

So instead of losing access to your account, you just lose all your email
(yay!).

~~~
sp332
This has always been the part I don't like about Google's 2-factor auth. Right
now, I have one strong password that would have to be compromised to access my
email. If I enable 2-factor, suddenly I have (last time I tried it) about 20
new passwords, any one of which could yield access to my email. That does not
really seem more secure.

~~~
maxerickson
I think the more important question is whether it is less secure. It does make
it harder to seize control of the account (which might be a lame consolation,
but backups are a good idea either way), and it is (potentially) more
convenient in the event that one device is lost or misplaced.

Someone who previously always logged out might be exposing themselves to more
risk by storing the app passwords, but I think that's about the only case
where it is worse.

~~~
sp332
It decreases the severity of a breach but increases the likelihood. Per-app
passwords can't be used to take over an account. But they can be used to read
my email. I think just shifting the permissions a little so that I can
"authenticate" without also giving out the creds to my email would be
acceptable.

------
ck2
How does it work with pop3/imap?

~~~
kral
You can generate specific password for applications:
[http://support.google.com/accounts/bin/answer.py?hl=en&a...](http://support.google.com/accounts/bin/answer.py?hl=en&answer=185833)

------
xmpir
did it today :)

------
petenixey
I'm really frustrated with Google and this 2-factor authentication. They are
in such a great position to really change the way in which people secure
themselves and they've completely missed the trick [edit: FOR THE AVERAGE
USER].

Google 2-step auth is very hard to use and for how hard it is to use it
doesn't provide all that much protection. It protects against phishing
(mostly) but not against someone who has your phone. Malicious ex-girlfriend
trying to do you harm? Google 2-factor won't help you a bit as long as at some
point she had access to your phone.

Any security improvement is better than no improvement so let's concentrate on
the real issue which is ease of use.

1\. Google 2-factor auth requires application specific passwords are deeply
confusing

I founded Clickpass and I can only just get my head around this. One password
per application? This is a very confusing concept and very difficult for the
average person to understand. There's no indication of whether you can
reasonably create one password and reuse it in all your apps (which I think
you can).

Application specific passwords are very confusing and not that much more
secure than one revokable password for all applications.

2\. Application specific passwords are almost impossible to use on mobile apps

Ever tried copying a 12-digit long string into a keyboard which only shows you
the last letter you entered and even then only for half a second? It's really
hard. You can't copy and paste them and you have to have a computer nearby to
do it (it's very hard to use the Google password-generator page on mobile)

Here is the list of the application-specific passwords that have to be
individually entered (10+ characters each):

 _On my mobile_

\- iphone mail

\- iPhone Google account (through browser)

\- iphone work mail

\- iPhone (work Google account through browser)

\- iphone calendar

\- iPhone calendar (work)

 _DUPLICATE ALL OF THE ABOVE FOR iPad_

 _DUPLICATE ALL OF THE ABOVE FOR MacBook Air_

Switch on 2-factor auth and you immeidately find all these apps go dead until
you do this. It will take you about 15m at least to do this and you'll have to
do it again if you change your password or get a new device. You can't copy
and paste because the Google auth-token page is unusable on moble.

 _What we need is easy, incremental security improvement_

The problem with Google 2-factor auth is that it was designed by security
geeks. It takes 3m just to watch their setup video! The system needs to be
designed by usability geeks and audited by security geeks.

2-factor auth is no use at all if it's switched off. Contrast my switched off
2-factor auth with my Facebook auth which texts me every time someone logs in
from a new machine and you contrast a system which provides me with a bit more
security (FB) and one which pertains to be secure (Google) but which adds
nothing.

Google needs to rip the security guys out of their security team and put the
user experience people in. End-user security is a UX problem and Google is in
a powerful position to effect change.

[Edited above for (a little) brevity]

EDIT BELOW: for folks who feel this account is unfair:

I realise that if you keep a PGP encrypted file on another device that is
necessary to do your password reset then yes, Google 2-factor auth is very
strong indeed.

I also realise that you shouldn't tell someone your password. The point is
though that resetting your password is something that only really needs your
phone. The key elements to resetting your password usually involve sending a
password or an out-of-channel token to another acccount. For most people that
other account is their work mail or Facebook, both of which are usually
accessible via their phone.

I'm not talking about the absolute strength of Google 2-factor authentication.
I'm talking about how that type of process applies to the type of internet
user who tries to log into Facebook through ReadWriteWeb:

[http://www.readwriteweb.com/archives/facebook_wants_to_be_yo...](http://www.readwriteweb.com/archives/facebook_wants_to_be_your_one_true_login.php)

~~~
bretthoerner
> it won't protect you from someone stealing your phone and opening your
> authenticator to login to your account

Why do they (and your malicious ex) know the other half needed to login - your
password?

~~~
petenixey
They don't need to know it. To reset your Google password you need your backup
email account (Facebook / Work email ) or your telephone number or text. All
of these are almost invariably accessible without further authentication via
your phone. The protection that 2-factor authentication adds doesn't apply in
the event that someone has the second factor. We're talking about the
incremental improvement rather than the protection granted by your password.

------
kral
Done.

