
Google Rolls Out Two-Factor Authentication For Everyone. - icey
http://techcrunch.com/2011/02/10/google-rolls-out-two-factor-authentication-for-everyone-you-should-use-it/
======
ekanes
Tried it, and now regretting it. I log in with 6 devices, and the idea that
I'll have to go through re-authenticating them each month isn't fun.

Each re-auth requires a fresh code from the app.

I access google apps via Safari because Apple's mail app has no real search
function. Since the codes expire in 60 seconds, I'm on a timer for writing it
down, launching safari, refreshing to get the "login failed" screen, entering
in my username and password without errors and then entering in my code.
Totally doable, but irritating. Imagine you're in a hurry, and checking your
email as you walk down the street. You open your client and instead of your
email you get an error. The error doesn't tell you what's wrong, it just says
there's a problem with your login. Hopefully you remember that 30 days ago you
reset your token, and that's the problem. Now you can pause everything else,
and setup your email.

Don't have a pen to write down your code while you switch apps? How's your
memory?

I totally get that good security involves expiration dates, but I want things
that "just work", not that "usually work".

In principle it's a great idea, and if I could choose how often it expires I'd
be a happy camper.

</rant>

~~~
TimMontague
I'm able to start the login process in Safari on my iPhone and when I get to
the prompt for the one-time code, switch to the Authenticator app, double
click on the number to get the copy icon, then switch back to Safari and paste
it.

~~~
ekanes
Thanks, that'll help.

------
alanfalcon
My largest worry is that coupled with Google's infamous lack of customer
support, it might be very difficult to get into your account should something
happen to your phone. I know it's something of a pain to have an authenticator
removed in World of Warcraft if you lose it or it breaks, but at least there
you have a phone number you can call that will let you eventually talk to a
human being.

Does anyone know what Google's plan is for lost/broken authenticators?

~~~
Matt_Cutts
You can print out a set of one-time codes and put them in your wallet, plus
you can specify a backup phone number. That's what I did.

~~~
mkramlich
Hey Matt, seeing your comments on this post reminded me I wanted to say thanks
for making so many comments here on HN. It's awesome to hear from someone
directly at Google in your role. Very cool. I'm sure a lot of us think very
highly of the work you all do at Google. You and Apple, really, kick ass in
this industry.

~~~
Matt_Cutts
I really appreciate that--thank you. HN is a pretty fun place to hang out. :)

------
kalvin
I've been using this on my Gmail account for a couple months in beta. (It was
also available for Google Apps Premier/Education/Gov).

Surprisingly it hasn't been a hassle at all-- anyone who uses their Gmail for
"everything" should start using it.

It takes 15 minutes to set up (you have to / should generate tokens for each
of your mobile and desktop apps, e.g. Apple Mail, iCal, Adium, Meebo, Voice,
Latitude) but after that, it's super easy as long as you always have your
smartphone+authenticator with you.

Spending 30 seconds extra/month/device to enter a 6-digit keycode isn't a huge
price to pay for better security (at least for me-- I have one phone and one
computer.)

------
kprobst
I've been doing this with PayPal and their free security token fob for three
years and I couldn't be happier. This kind of thing should be the standard for
any 'critical' accounts like banking and email. If you don't have a token you
probably have a cell phone anyway.

~~~
jodrellblank
Is that the PayPal fob shown here for $5:

[https://cms.paypal.com/cgi-bin/marketingweb?cmd=_render-
cont...](https://cms.paypal.com/cgi-bin/marketingweb?cmd=_render-
content&content_ID=security/hardware_software_protection)

Or is there a free one available by other means?

~~~
travisp
You can use Verisign's Identity Protection iphone app for free:

<https://idprotect.verisign.com/wheretouse.v>

------
roc
How does two-factor cut down on phishing again?

Instead of a fake login page with 2 boxes, a phisher could just create a fake
login page with 3 boxes and pass the keycode along with everything else.

The only increased difficulty in phishing, is if the user notes they're seeing
a keycode prompt, decides that they probably _shouldn't_ have to enter that
again _and_ doesn't just key it in anyway.

When we're talking about people who fall for phishing scams, does that sound
all that likely? I mean, these people have a history of ignoring red flags and
being blissfully ignorant to what should even _raise_ a red flag.

Now, what two-factor _will_ help mitigate, is casual sniffing, keylogging,
shoulder-surfing and saved password cracking.

~~~
albertsun
The keycode is unique to each log-in attempt.

~~~
roc
Is this a stand-alone fob-style system, where the keycode is unique to _a
point in time_ with no knowledge of the connection? Or is this some sort of
second-channel verification, where the requesting connection is hashed into
the one-time-pad?

~~~
groby_b
Both Paypal and WoW use standalone FOB, keycode unique to a point in time.

Of course, paypal's "I lost my authenticator, log me in anyways" button is
kind of defeating the purpose...

~~~
roc
Ok, but what is Google offering?

Unless I'm missing something, RFC 4226 sounds like the RSA SecurID system I've
worked with before; which is essentially equivalent to Blizzard's system for
World of Warcraft.

In which case, my criticism stands. It's trivially more difficult to phish a
keycode and the limited window of opportunity is simply a non-issue.[1]

Unless Google is calculating a one-time pad based on the individual login
attempt and sending it along a second channel to the registered user, there'll
be almost no reduction in phishing.

[1] The tens of seconds a keycode is valid are more than enough to establish a
connection.

~~~
groby_b
Which means you phished it _once_. Which means you need to take drastic
actions to exploit it, a slow buildup over time is not an option.

Which in turn means you're more likely to get detected. It's not full
protection - you'd still need a second channel for that - but it's better than
nothing.

~~~
roc
It is certainly better than nothing. I just took issue with the article's
repeated insistence that it'd make phishing harder/impossible.

It does many good things. That is not one of them.

------
stcredzero
Google should publish a good API for this, and allow everyone to use it. I'd
love to have opt-in TFA for all of my sites.

~~~
billpg
OpenID?

~~~
groby_b
You did read the part about "good API", right? ;)

------
EGreg
Great going, google! Banks have been using those RSA dongle thingies for a
long time. Now with mobile phones that isolate one app from another, who needs
em! And you get OTP codes just in case. Nice.

Now I wish my bank would do this.

------
beoba
Looks like it's currently broken. The article says "You can activate it by
hitting the ‘two-step verification’ link on this page[1].", but it's
definitely not there.

However, if you go into "Authorizing applications & sites" it has a warning
box which says "An application-specific password can only be created when you
are signed up for 2-step verification.", with no mention of where or how that
can be done.

It'd be nice if this feature allowed me to have secondary passwords for eg
google talk. I don't much care for having to hand out my full credentials just
to use things like bitlbee/meebo.

[1] <https://www.google.com/accounts/ManageAccount>

~~~
DrewHintz
It's being rolled out over the next few days. Hopefully it will be enabled for
you soon.

[http://googleblog.blogspot.com/2011/02/advanced-sign-in-
secu...](http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-
your.html)

------
jasonkester
This would seem to be a good thing to offer if you were a company that had any
form of customer service.

If I were to lose the little thingy that lets me into my bank account, I can
walk into a bank, verify myself, and get another one sent out. Simple and
effective.

Can you imagine the process that you'll have to go through to get back into
your GMail account after losing your phone?

Considering that you can be an AdWords customer giving them ten thousand
dollars a year and still receive nothing but computer-generated form letters
in response to questions about your account, I think I'll pass on this one.

------
imajes
It'd be nice if i could use my own 2 factor, e.g. if i had a securid or
something similar to do. I'm not all that excited to have to open my phone to
get to an app to get my passcode out.

~~~
DrewHintz
The algorithm is RFC4226+TOTP: <http://code.google.com/p/google-
authenticator/> If you have a TOTP device that lets you set the key, then you
can use that instead of your phone.

------
Kilimanjaro
I haven't tried it, but I don't like being bothered with extra stuff, I can't
even imagine my mother dealing with this stuff.

If we can't simplify our users lives, we have failed. Is security hard? Hell
it is. But we can do better and we MUST do better, for the love of science.

~~~
timwiseman
First, this is optional, so no one who doesn't want it has to worry about it.
If you aren't worried about your google account being hacked, then don't
enable it.

Second, can you really think of a better option? Two factor authentication
like this has been used by high security institutions for years and it works
quite well. Personally, it has bothered me for years that my bank does not use
2-factor identification to log in... I am certain there is plenty of room for
improvement, but it is certainly non-trivial.

------
motters
This wouldn't work for me. I own a mobile phone, but I only use it for
specific purposes and don't carry it around with me routinely. Mobile phones
are not something that I care about to any significant extent.

~~~
marshray
Me either, and I work on (a different) mobile phone authentication product!

I did finally give in the other day and got a Nexus S. I've even talked on it
a few times.

------
bdonlan
Where exactly is the option to enable this? I can't seem to find it in my
google accounts page - is it being rolled out gradually?

~~~
daeken
According to the official blog post (
[http://googleblog.blogspot.com/2011/02/advanced-sign-in-
secu...](http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-
your.html) ), this will be rolled out over the next two days.

------
tomjen3
Does this mean that I can't use the build in email on my (Google) Android to
use my account?

Because if not, this is pretty awesome.

~~~
DrewHintz
You can still use applications, such as email clients built-in to Android, to
access your account. Typically you'll need to use an application-specific
password as described here:
[http://www.google.com/support/accounts/bin/static.py?page=gu...](http://www.google.com/support/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056286)

(Disclaimer: I worked on the Android app.)

~~~
travisp
It's not clear from that page, is there any limitation on the powers of the
application-specific password? While it's less likely, if one of those
passwords gets stolen can your entire account still be accessed including your
account settings?

~~~
antrix
On Android, the device specific password is used for your phone's Google
Account. Which means once you set it up, all Google apps like Gmail, GReader,
Talk, Market, etc. will work as usual.

If you suspect your device password is compromised, you can revoke it from
your Google account settings in a regular browser.

------
chalimacos
This is very good for activists.

------
drivebyacct2
Also, apparently HN is having a reading problem today.

>Over the next few days, you'll see a new link on your Account Settings page
that looks like this:

Yes, it's not available yet. And the second password page is very clear about
what it's used for. Reading people, it helps a lot.

~~~
buro9
As usual they will roll out incrementally. They always do, but yet others
always will jump up and down because it's not instant available for them.

~~~
brown9-2
I'm not sure what you are addressing, no one is debating the merit of this.
drivebyacct is referring to other posts in this thread questioning "Where is
this option? I don't see it in my account!"

------
drivebyacct2
Why does the Android app "Google Authenticator" require ZX Barcode Scanner
when Google Goggles has a faster barcode scanner built in? Sometimes I just
don't understand Google's inability to be consistent. For example, why do
Goggles and the Gallery hide the notification bar. Attention to details
Google...

~~~
yellowbkpk
What do you mean "built-in"? I had to download a barcode scanner app from the
Market since Android didn't ship with one.

Do you mean it's built into something like the Camera app?

~~~
drivebyacct2
"Google Goggles has a faster barcode scanner built in"

Not sure how to make that sentence more straight forward.

~~~
yellowbkpk
Google Goggles is not "built-in", so it's plenty unclear.

------
VMG
do they still have the dreadful "security question"?

------
synnik
I have no phone. Not at all, not a cell, not a work phone, not a home phone.

I suppose this is what I get for being both a hacker and a luddite.

But this definitely will NOT work for me.

~~~
JshWright
So... don't use it?

------
acconrad
Some people are going to find this to be awesome (mostly the paranoid), while
others will just be frustrated they now have to remember two passwords.

~~~
haberman
There is no "remembering" involved -- you get the second password from an app
on your phone. And you only have to enter this second password once per month
(per computer that you access your account from).

~~~
stanleydrew
I assume you enter the second password once per browser session, not once "per
computer." For people who use incognito mode heavily or clear their cookies on
shutdown this will mean using the second password every time, but something
tells me those people are of the type who want to be using two-factor auth all
the time anyway.

------
dublinclontarf
I can see why everyone is so happy, but something to note is the erosion of
privacy. You you wont be able to use a gmail account without a phone.

In countries(China) where you need your id to get even a prepay phone there
will no longer be any anominity.

Top this off with the fact that google doesn't say how often or if at all
whether they give information to the chinese government because its against
the law in China for them to say so.

State secrecy and all.

I personally think this should be optional and not mandatory. Otherwise I will
stop using all of googles account services.

~~~
ZoFreX
It _is_ optional! Personally I'd rather the second factor was a little more
dependable, the 2nd factor for my LastPass account is a lookup grid. That
piece of paper in my wallet is unlikely to run out of battery power or
otherwise malfunction, and doesn't have the potential privacy issues you
highlighted.

------
hammock
Is anyone else concerned that Google is now basically forcing this on us, so
it can build a database of not only our online history, contact info, etc...
but now linking it to a real-life phone number? Think of what the NSA could do
with data like that.

Not to mention the whole MAC address collection they did with the Streetview
cams as well (allowing them to tie a MAC address and/or IP with a GPS
coordinate)

I'm prepared for the down-votes on this one, but it's something to think
about.

~~~
Matt_Cutts
If you don't want this feature, don't opt in--it's not required. I love that I
don't need to worry as much about people trying to hack my Gmail account.

~~~
hammock
Sure but they're going to ask me about it every time I log in until kingdom
come. And there are a lot of users who will do it blindly unaware of the
consequences that come with linking your online persona to a phone number.

~~~
travisp
I use Google Voice, so I imagine Google already knows all my numbers.

