Google 2 Step Authentication Review

One of my friends had her email account hijacked recently.  The hijackers had obviously got hold of her password somehow and were sending out emails to her address book claiming she was stuck overseas and needed money sent to her. I’d read about this sort of thing  but never had it happen to myself or anyone close to me. I suspect that it would be quite easy for the less-knowledgeable and naive to not realize and send money and be taken for a ride, as it was certainly more “sophisticated” than the typical Nigerian scammer email.  I actually toyed with them for a while  (to the extent of trying to sending them to my mate Kon Stabel at the address of the local police station :)) and the jackers were pretty “sneaky” about trying to get money out of me.

It was then I decided I should really do something about strengthening my own security around my accounts by turning on Google’s 2 step authentication which I’d read about but never got around to implementing.

Working in IT you’d think I’d know better; however, this got me thinking about all the information I have stored in my Google account. Access to my email alone would allow access to other sensitive information, which as a flow on from my emails gives them access to other websites indirectly. Password resets to the email address for other non-Google applications or sites could be performed, as well as the ability to gain access to applications that use your Google account as a “passthrough” login for that application. In addition if you’re part of the “Google-verse” (“luckily” my above friend had just a Hotmail email account ),  access to your Google account gives you access to email and all your other Google apps such as Google+, documents, photos, reader, YouTube, and other info. A bit scary really :(

Google 2 step authentication works on 2 things, something you know – your password – and something you have – your phone/tablet.

It’s easy to turn on from your Google Account Settings

Once you turn on 2 step authentication, whenever you login to your Google account you put in your normal password and the site will then ask you to enter your authentication code consisting of a 6 digit number.

 

Google Code Verification

This code can be delivered to you in a number of ways:

  • SMS to a specified mobile number.
  • Voicecall to a specified mobile or land line number.
  • Google Authenticator app  for Android/iPod,iPhone,Ipad/Blackberry – This app  generates a real time, time-sensitive code for you to enter based on your account. The system is very similar to the more commercial- and business-related RSA tokens that many enterprise businesses use for their 2 step authentication. It will allow you to create codes for multiple Google accounts if you have them.

 

The Google Authenticator App for Android

So to log in, you need to know your password and also have your mobile phone to receive or generate your 6 digit code. So even if your password is compromised the would be thief still requires to get hold of your phone to finally hijack your account. Each code is only valid for around 30 secs.

You can apply this code to last up to 30 days, so you won’t get asked for a new verification code again for 30 days on that same machine. If you find yourself having to login to another new machine or onto an public/shared device, then you’ll have to input a verification code again.  On a public machine if you don’t use the 30 day option, the next time you logon to that machine you’ll have to reenter another verification code, something quite handy if you find yourself having to use internet cafes to access you Google account. Even keyloggers will only be able to grab your password, as your verification code you enter will only be valid for a short space of time.

 

Application Specific Code

Some devices and applications won’t let you enter the second security code so you need to create an Application Specific Password (e.g. Gmail login for Android). To enable these to access your Google account you generate a 16 digit alpha/numeric code that you use in place of your normal password. It appears to me that the code is a hash of your user name and what you name the application (e.g. “Gmail for Android Login”).  (As per below discussion it would appear it’s not a hash unless it’s time based as well.  Putting the same application name in gives different codes. Perhaps it is just random). You then use this code rather than your normal password to logon. You normally only have to use this password once, and you can always revoke the pass code if you need to for any reason.

If you’re out of mobile range or you don’t have your phone with you, Google can also supply you with a list of backup codes which you can print or store somewhere were you’d normally have access to it other than your phone.

As an exercise, sit down and work out what information and access would be available should Your Google account be hacked. While there’s a small amount of extra work involved with setting up 2-step verification as well as some extra “work” involved in logging into your Google account, the extra security you get is well worth the effort to protect your sensitive information.

Addendum: 4 Jan 2012  – I’ve just found that the Google Authenticator can also be used as a 2 factor authenticator  for  Lastpass password manager as well :)

Addendum: 7 Jan 2012 – A quick heads up about using the Authenticator on either multiple or on new devices.  If you turn on authentication and just follow the instructions on a single device  then when you want to add a new device ( which will happen with upgrades ) or add an additional device then you’ll actually have to turn off verification and recreate your account codes ( only your live ones, not the application specifics ) both on your old and new device.  The trick is that when you initially  turn it on take a screenshot of your bar code and/or the key it gives you and store in a safe place. Then you can just load GA onto your new device and rescan or manually input the account verifications when you create the account in the app.

 

Product Information

Price:Free
Manufacturer:Google
Requirements:
  • A Google Account
Pros:
  • Extra Security to protect your Google Account
Cons:
  • Needs to be set up
  • Need to receive or generate code
  • Additional step to login to your Google Account
  • (All minor compared to the extra peace of mind you'll get from the added security :) )
Posted in: Miscellaneous, Reviews

26 comments… add one

  • Ken Schoenberg January 2, 2012, 9:54 am

    If you want to understand how important doing this is download an app called Wireshark and sit in a place with free internet for a bit with it capturing packets.

    It’s far from perfect protection, but it’s a start.
    I really would like to see biometric scanners on most devices to rid of us the password scourge.

    1
  • Riël January 2, 2012, 10:41 am

    Nice story! And, almost obligatory for Google users, and in my opinion totally obligatory for Google Apps users. This is such a small effort for gaining so much security… Thanks for spreading the word!

    2
  • Julie January 2, 2012, 11:04 am

    @Ken How about retina scans.

    3
  • David January 2, 2012, 3:12 pm

    Doh! If you’re concerned about security, you never log into any website using a computer you don’t own for exactly the reason you mentioned, there could be a keylogger. Use your phone, carry a laptop, whatever, but never use a machine you do not fully control. Ever. The damage could be even worse if you use Google Checkout/Wallet which can charge items to your credit card. Giving your password to someone (by using a public computer) because you think 2-factor will save you not only reverts your protection back to a single factor, but that factor is weaker than your original password. That is, correctly guessing a six digit number is easier that correctly guessing an arbitrary length string consisting numbers, uppercase and lowercase letters, and punctuation.

    The second thing to understand is that there is nothing application specific about application specific passwords. The randomly generated password should be considered an alternate password that does not require an OTP (one time password, another name for the six digit number generated by Google Authenticator) to access the account. If you can memorize it, you can type it instead of your normal password and you won’t be prompted for an OTP. It is easy to revoke these passwords if the device is lost, but you need to keep them private even more so than your regular password since they bypass the second factor. That said, I sincerely hope that the author revoked the application specific password in the screenshot in the article since that would permit direct access to his account without an OTP.

    Lesson: Never, ever, allow someone else to obtain your passwords, application specific or otherwise, through any means. Never give you passwords to anyone, even your spouse or a family member, no matter how much you trust them. Your passwords are yours and yours alone.

    4
  • Henry S January 2, 2012, 4:19 pm

    I used it for a while, but I started having a lot of problems with authentication on my iPhone, so I gave up on it.

    5
  • Ian Lim January 2, 2012, 5:13 pm

    @Julie – no way, haven’t you seen that scene in Demolition Man where Wesley Snipes cuts out the guys eyeball to gain access to the retina scanner :)

    @David – Agree with everything you say.
    Didn’t even think of Google Wallet as over here in Aus the only thing it’s useful for is the Android Market. I guess some people don’t have the luxury of having their own smartphone, notebook, tablet especialy while travelling so any extra security layer is worth having. Because the 6 digit verification code changes every 30 secs, it is a bit more secure than a straight PIN number as you would have to guess the exact 6 digit code for that precise 30 seconds.
    In this day of loggers, sniffers, trojans, “If you’re concerned about security you never log into any website using a computer you don’t own for exactly the reason you mentioned, there could be a keylogger. :)
    Maybe what should really be worrying us is how much personal information Google has about us ! :)

    6
  • AK January 2, 2012, 10:53 pm

    Thankfully, i dont use Gmail :D

    7
  • Amir Findling January 3, 2012, 6:11 pm

    I agree with Henry S, I could not even go to the Market from my phone. Fortunately I was able to reverse the process from my tablet. Security is nice but if I can’t use my devices, I’m back to a slate, not a tablet! Lame move Google, and I expected a much more incisive review from the Gadgeteer!

    8
  • Ken Schoenberg January 3, 2012, 6:24 pm

    @Julie, we’re really happy with the fingerprint scanners that are built into ThinkPads. Why none of the other manufacturers include them is a mystery.

    9
  • Ian Lim January 3, 2012, 6:30 pm

    @Amir , I’ve had absolutely no issues on my two Windows notebooks, 2 Android Tablets and 1 Android Phone across 3 different Google Accounts over the last few months. I’ve used the app, SMS and voicemail to get verification codes. I also have applications that need specifics passwords as well. If I had issues then I’d certainly report them. Is your phone IOS or Android, is that the common theme with issues that you and Henry had ?

    10
  • Ken Schoenberg January 3, 2012, 6:53 pm

    No issues here across 4 laptos, iPod, iPad, Kindle Fire, HTC G2 phone, several desktops and an HP Touchpad.

    11
  • Ken Schoenberg January 3, 2012, 6:53 pm

    well, no issues except that I meant four laptops. :)

    12
  • The Slapster January 3, 2012, 10:28 pm

    Interesting timing, I just got a warning today from within Gmail that my account had been accessed (or had attempted access) from an IP in China. *sigh*

    Guess it’s time to add another layer, thanks for the excellent write-up, at least I understand the process now!

    13
  • Ian Lim January 3, 2012, 10:55 pm

    @Slapster – bummer, at least it was only an ATTEMPT :)

    BTW I’ve just found out that if you use Lastpass password manager you can also now protect that using Google Authenticator :)

    14
  • Amir Findling January 4, 2012, 2:17 pm

    Both tablet and phone were droids. Simply, I could not longer get into the Market from the phone to download the Authentication app. This was my second attempt at using the 2-step system. I dropped out the first timebecausr it became so cumbersome to access my account from different devices. I cannot say got any better. I did report my problem to Google. Thanks for the answer though.

    15
  • JRH April 17, 2012, 10:03 am

    I also am disappointed in this ingratiating review. When is someone going to admit that google’s two step verification is seriously flawed?

    16
  • Ian Lim April 17, 2012, 10:14 am

    @JRH Again I’ll state I haven’t had a problem across 6 different GMail accounts now (don’t ask :) ) and multiple devices and if I did have them I would have posted my bad experiences. Not sure why it seems to work fine for some and not for others :( To me that’s definitely a flaw but one that hasn’t affected me.

    17
  • ruby nesbitt June 2, 2012, 3:09 pm

    Three days now, traveling in Europe, discover I need a code which arrives punctually on my phone in USA where nobody is home. No back up codes come up to access. Never have. Google so far has not responded. I not only have several gadgets to juggle, but IPs and phone numbers worldwide with different apps. So far I am chasing my own tail to get access to my account and all they tell me is sign into my account using the code. Wait for the phone call… In the USA. They should write in huge red letters, “Use with care!”

    18
  • Carl Smith June 11, 2012, 8:15 pm

    2-Step is a must for many users. I use App Engine to store my user’s data, some of which is very valuable to criminals. It’s not an option.

    If you knew my Gmail password, you could do a lot of harm if I didn’t have 2-Step. All the security in the world is useless if a crook has your credentials.

    As for fingerprint scanning: It doesn’t really work. In order for the recognition system to appear to work, it has to be set up to accept anything that’s at all likely to be correct. It appears to work, because you never test it, but it isn’t fussy about what it’ll validate. Further, you can’t change your credentials, ever. You’re stuck with that fingerprint for life. If someone steals a copy at any point, you’re truly shafted.

    19
  • James July 5, 2012, 8:17 am

    Just because we live in a password world, people need to understand passwords are not secure in themselves. A strong password is not a replacement for the need for other effective security control. People need to be thinking about secondary steps that need to be implemented, like some form of 2FA were a user can telesign into their account and have the security knowing they are protected. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to be compromised, the user would be protected because if the people who stole the password were to try to use the “stolen” password and they don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account.

    20
  • Dan August 9, 2012, 3:17 pm

    I’m trying to use 2-step. Seems like a nice idea.

    I enabled it, then my Android phone went offline. To get it back online, I learned that I needed to download Google Authenticator. But wait … I could no longer get to Google’s PlayStore unless I was signed in. Got caught in a logic trap, so I disabled 2-step, downloaded Authenticator and started over. Would have been nice if Google made that clear to begin with.

    Anyway, still no joy. Apparently each app within my device (e.g.; Google Latitude) needs to be separately authorized. So, back to searching through Google to find my settings page. Oops. Where is it? I can’t find it from my normal Settings page. Went through browse history, found it, then tried to set up and authorize Latitude. Received a special password. Put that password into the phone when Latitude asks for it. Still, no joy. Latitude says I’m already signed in.

    Now … how does Google Authenticator fits into this scheme?

    Wait. Now my tablet is offline. Can’t get mail. Can’t run my apps.

    I’m a computer programmer. I would never EVER put something like this into the public domain. It’s taking me an hour to figure out all this nonsense, and I still have problems. (Okay, maybe I’m not that good of a programmer.)

    2-step is a nice idea. How did it get twisted into a complicated morass?

    I’m disabling it.

    21
  • Ian Lim August 9, 2012, 8:08 pm

    @Dan – It sounds to me like you’re not quite doing the correct process ( and I’m only going on my interpretation of what you’ve written).

    Process for your Android device is:
    1. Enable Authentication
    2. Go to Authorised applications and sites
    3. Create an application-specific password for your phone, call it “Latitude” or similar
    4. Delete your current account from your Latitude, add the Google account back and use the application specific password generated above instead of your normal password. This should give your phone access to your Google account, sync your contacts and calendar and whatever else and give you access to Google Play.
    5. Install the Authenticator from the Play Store.
    6. If you then say, go to gmail.com on a web browser then you log in with your “normal” gmail login and it should then ask for the passcode, which you get from the authenticator.
    7. You should only need to use the authenticator once and a while when asked.

    You need to repeat steps 2-4 for the tablet, obviously calling it “Tablet”

    If you’re going to run authenticator on both your phone or tablet, it’s worth screen copying the QR codes you’ll get when you first set up authenticator so you can just rescan in the qrcode on your new device. If you don’t do this it’s a pain.

    Does that make sense or help ?? :)

    22
  • Dan August 9, 2012, 9:07 pm

    Thanks Ian,

    In my previous post, I was attempting to use humor to illustrate a point. The point being that people won’t implement security if it’s too difficult or obstructive.

    Automobile manufacturers understand this principle – this is why seat belts are simple devices, and the airbags are virtually invisible. The only time these devices become significant is when they are needed. If it took 10 minutes to deploy seat belts and enable airbags before starting the engine, nobody would use them.

    When I first read that Google was implementing 2-step, I was enthusiastic. My bank (BofA) uses the same principle, and it’s really easy. So when I tried the same with Google, I was at first frustrated then dumbfounded and finally, disappointed. What with all the complexity, very few people are going to implement Google’s 2-step. I’m disappointed that a company with an astronomical IQ hasn’t gotten this right.

    Even more disappointing is reading some of the comments of people traveling internationally and suddenly being locked out. I travel a lot, so that makes Google’s 2-step a show-stopper for me.

    Thanks again,
    Dan

    23
  • Ian Lim August 10, 2012, 12:55 am

    I totally agree with you Dan about if it ain’t easy, nobody’s going to use it. I suspect it’s a geek solution put together by….geeks :P

    If you’re geeky enough and put the time in and set it up properly, it’s actually not that much of a hassle , but you have to set it up and work out all it’s “quirks”. For me it was worth the time invested for that added level of security it gives me.

    In regards to overseas, if you use the authenticator rather than SMS codes then moving networks or even phone numbers shouldn’t make any difference. It’s just like having an RSA keyfob with you.

    As you say, if it’s so complicated that people don’t understand it, then why use it?

    Perhaps it’s some sort of geek test put out by Google and I’m happy (sad?) to say I pass :)

    24
  • G Kor August 30, 2012, 8:18 pm

    I set it up today as well and within 4 hours I decided that its not going to work for me. As I attempted to set it up, a co-worker saw me fiddling with the settings and commented that she had set it up before, only to give up as well.
    I’d like it better if I could exclude a few of Google’s apps from the extra security. I don’t need it for youtube, reader, googletv or picasa or even google+. I really want to have it for gmail and for the account settings page.

    25
  • Ian Lim August 30, 2012, 8:30 pm

    @GKor – it really is a pity it’s a little bit complicated and convoluted to setup as it really does add a nice level of comfort to your security. Once it is setup then you actually don’t see the or need the authenticator that often. I’ve never seen it come up in any of the apps you mentioned.

    26

Leave a Comment