Review: Google’s Heavy Duty Token Security

Recently, I got a notice from Google that I could start using their two step authentication to add extra security to my email account.  As far as I know, no one’s out to get me, but I’m always a fan of extra security if it’s easily used and well implemented.

Google is famous for trying new takes on old things and deploying beta software early and often.  This two step authentication is not a beta.  Email and other digital services have become essential to everyday life for many.  And Google clearly took great care implementing this new security feature.  The app Google Authenticator has been available for months on the iTunes Store but with no apparent use for non-Googlers.

Two step authentication for the masses is never going to be perfect.  But all said and done, Google gets this one more right than wrong.  

What is Two Step Authenticatiuon

But before I detail my thoughts, let’s review the basics.  Two step authentication is simply a second lock on your account.  Think of a door that has both a lock on the door handle and a deadbolt.  You need two keys to get in.  The digital analogy is similar.  The user account requires two passwords instead of one.  At a very basic level, this could be merely two passwords you have to remember:

username: hmciv
1st password: 123456
2nd password: 0p3nSaysM3

But this doesn’t offer much more security than a single password.  A more secure system is an account which requires a password you know and a password you (and you alone) must look up.  This is the idea behind token based passwords.  Using the door analogy this would be akin to having combination lock and a deadbolt on your door.  You need the password you memorized and the key in your pocket to get in.  Tokens are a sort of digital key.  An electronic device generates a new token (i.e. a random number) every half minute or so.  Only the system you are logging on to and the token generator in your pocket know the sequence of numbers being generated.

Companies such as RSA use SecureID token generators that fit on your key chain to generate the second password.  The new ones are USB devices which make the key analogy very apt.  But up to now this level of password strength has only been available to businesses and governments able to afford the costs.

Enter Google

Google’s solution is typical of their computing philosophy.  It uses the smart phone you already own (Android, Blackberry, or iPhone) as the counter.  It’s free for users of Google’s services (Gmail, Google Docs, Picasa).  The opt in service has been rolled out to users gradually to facilitate a smooth transition.  And given the length of time Google Authenticator was on iTunes before Google announced general availability, I’m guessing the system has been heavily tested by Google employees before rolling out to customers.  And they seem to have thought considerably about some of the more devilish details.

Setup

Overall, setup was fairly straight forward.  The first step was setting up my smart phone.  I downloaded the Google Authenticator app and fired it up.  Google has a slick barcode system for automatically configuring the smartphone.  You snap a shot of the barcode and it handles the rest.  I tried scanning the barcode but my phone’s camera wouldn’t pick it up.  Maybe my iPhone 3G is too old.  So I typed in a long code and clicked next.

QR Barcode iPhone 3G Trying to Read a Barcode

Google confirmed the token counter on my smart phone was working by having me do a practice login.  Having successfully done this they next asked me for a backup phone number to send a one time verification code if I need it.  This is pretty good foresight on Google’s part.  Tokens are great for security, but if you lose your phone you’re pretty much doomed.  The backup phone number lets me send a text message or voice message to a phone number of my choosing in case my smart phone drowns again.

The third and final backup was a list of single use codes.  If I don’t have my cell phone or my backup phone, basically if I’m left for dead in the wilderness and really need to check my email, these codes will give me ten chances to do just that.  Here I faced a conundrum.  Given my lifestyle, if I don’t have my smart phone, there’s a pretty good chance my wallet has been compromised as well.  If both are inaccessible, I’m going to have a hard time breaking back into my account.  So I decided to copy the codes to a text file and store them on a separate online account.  Hackers would likely not guess at the context of the numbers.  And if I have access to Gmail I will have access to other online services, be it Dropbox, iDisk or even a private page of notes in Facebook.  (Though I never recommend storying anything valuable on Facebook!)

With the account finally setup and verified working, I was given one last confirmation that I wanted to opt in.  So I drew a breath, clicked “Turn on 2-step verification” and that was that.  Google logged me out of all my devices.  I signed on with my original password, then the token, and it worked like a charm.

Application-Specific Passwords

Google had no problem updating its accounts and web applications to use two step authentication.  But local applications such as Outlook, Thunderbird, Apple Mail and even Picasa are not equipped to handle the extra security.  Thus Google’s last step is to generate application-specific passwords.  Google shows you these passwords once only.  I went through my electrical equipment one by one, setting up the sixteen letter long passwords.  That’s when I realized just how closely tided my digital life is to Google!  Apple Mail, my smart phone, gChat on my office PC, Picasa… the list went on.  Each password pokes another hole in your security blanket.  But the passwords are revealed one time only and are “difficult” to crack.  (Odds are 1 in 12 septillion of cracking any one code the first time.)  Additionally, if you suspect you’ve been compromised, it’s a single click to revoke the password forever.

Use and Usefulness

As I said in the beginning, Google’s service is thoroughly thought out.  Unlike it’s many Google Labs and Beta products, Google Authenticator needs few improvements in setup or usage.  But who needs two-step authentication for their personal email account?  Well, Sarah Palin could have benefited.  And if you’re a regular subscriber to Mel Gibson’s conspiracy newsletter (the government one) I would definitely sign up sooner rather than later.

But for those of us who are more anonymous than [in]famous, this security layer is probably optional so long as you maintain a strong password and never share it.  If you’re not the type to go everywhere with your smart phone, the two step authentication could prove a roadblock at a very inconvenient time.  The novelty of entering a super secret token wears off after the first couple of times anyway.  Google has a check box to keep you signed into your personal PC for a month before asking for the token again.  This is a decent tradeoff between security and convenience.  Your personal computer stays under your control and public computers, even ones infected with a keystroke logger will only retain half your password after you log out.

Bottom line, Google Authenticator is a useful tool for those that feel they need an additional layer of security, and those who just want Big Sibling (hey, it’s an emancipated world) to work a little harder.  Just remember there’s more than one way to hack a password if They really really want it from you.

Security "Cracking"

xkcd.com

Advertisements
This entry was posted in google, password protection and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s