Thursday, August 9, 2012

The Problem with Google's Two-Factor Authentication

The media has rightly gone crazy over what what technology writer Mat Honan wrote in Wired called "My Epic Hacking." If you haven't read about what happened to Mat, then I urge you to check out the article and then try to calm down for a few minutes before moving on.

In a business that focuses on quick solutions to big problems, many bloggers and writers have focused on this one statement that Mat makes in his article:

"Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened…"

I don't doubt for a second that Mat is correct.  Google's innovative application of stronger authentication is a great resource and one that I began using just about a month ago after I found some kid in Houston constantly trying to access my Gmail account thinking that it was his.  (I'll rant about that some other time.)  But, don't think for a second that Mat's statement points to a solution.  It's not.

While I'm sure that I'm the only one who reads this blog, in case someone happens upon it who isn't a security professional, let me briefly explain two-factor authentication. When you log on to a web site, it normally asks you for some sort of username (identifier) and a password (something you know).  This is an example of single-factor authentication; you have one piece of shared information (your password) that you add to the identifier (your username) to get access to the web site.  I'll save my issues with password authentication for another time, but passwords are notoriously easy to either break or subvert.  So, adding a second factor provides a little more security over your account (when implemented correctly).  In Google's case, it adds a second password that it sends to another device (e.g. your phone) that you need to fully access your Google applications.

That sounds good at first.  I can see the new ad now, "Hey, two instead of one is better!"  But, just like kids who willingly trade one quarter for two dimes, that sentiment lacks proper context.  Let's take a deeper look.

As I said, I've been using the Google implementation for a little while now and I just don't think that it's something that most people can effectively use.  I wouldn't go so far as to say that it's unusable, but I do think that you need to be a fairly savvy technology person to get it.

The primary problem is that just about every use of Google services that you may want to leverage will require a separate password that will remain active for 30 days.  Unless you are completely tied to Google services and devices, this will quickly become a real pain.

Need some examples?  I'll use me as an example.  Let's start with hardware.  I regularly use a MacBook Pro, iPad, and Galaxy Nexus (Android) phone in my daily routine.  I also occasionally throw in a Windows 7 laptop into the mix (no LiveMeeting support on Mac…bastards!) and a Windows 7 virtual machine on my MBPro that I'll consider a separate device.  All told, I generally use 5 different devices to get me through my day.

When you use Google services and applications, most of them are covered in the standard two-factor authentication process: 1) Log in with your username and password; 2) Receive a text message with a code; 3) Enter the code; 4) Be good for 30 days.  My current list includes 13 different Google services and apps that could go through that process.  

That doesn't sound so bad, right?  I log onto Gmail for the first time in my browser, I receive a text message from Google with a code, and I enter the code.  Good to go.  But, what if you use multiple browsers?  Because no browser seems to work right on Mac OS X (damn Flash!), I usually toggle between three different browsers (Chrome, Firefox, and Safari).  Log into Gmail for each one, get a new code for each one.  I'm basically leashed to my phone just to get onto services.  Go to a conference and use a public kiosk (something you should never do, but for the sake of argument), repeat the process.  I get more text messages from Google than from my wife these days.  iPad Google apps?  Same thing.  Thank goodness I have an Android phone or I would be in real pain.

That's all fine and good (although I hate paying for texts and am completely opposed to paying for a text plan…more on that in a bit).  Anyone can do that.  But, what about when you access Google services from non-conforming applications and devices?  This is where things get hard.

Go figure that my Android phone doesn't completely support the process.  To activate it and feel the Google love that it depends on to function, I need to using the "Application-specific passwords" feature.  That process goes like this: 1) Log in with your username and password; 2) Be told that your login was unsuccessful; 3) Try to log in again; 4) Be told again that your login was unsuccessful; 5) Repeat steps 1-2 until you hit your forehead, say 'Doh!' and realize that you need an Application-specific password; 6) Go to your Google Account Settings; 7) Click on Security; 8) Click the Edit button next to 2-step verification; 9) Log in to your Google account (with only your password!  Shouldn't you need a second factor here too?); 10) Click on Manage application-specific passwords; 11) Go to the input box at the bottom of the screen, enter a name for your application, and click Generate password; 12) Go back to your original log in and enter the Application-specific password in the password field instead of your known password; 13) Go back to enjoying your day!

Depending on your level of IT understanding and your ability to recall silly decisions like turning on Google two-factor authentication, Step 5 would be a real sticking point.  But, from there, the whole process is arduous.  With our rapidly integrated world where the mysterious "Cloud" rules, you can encounter this problem when you least expect it.  

Do you want to connect to Google Drive from your favorite iPad document app (mine is GoodReader)?  Go get a password for it.  Just want to connect your iPad mail app to your Gmail.  Better get over to your browser.  Oh, you want to activate your Android phone.  Yeah, you get the trend here.

Look, I get it.  But, I'm an expert when it comes to this IT stuff.  I know what I'm doing.  What about the other 99% of us who just barely know enough to get by in using our phone that's not a phone but an interconnected magical box that runs our lives?  I wouldn't wish this on my worst enemy much less my family.  I would be constantly on the phone helping them figure out why they can't see their Gmail.

Mat is right.  By activating the Google two-factor authentication, he probably would have saved himself a lot of grief.  But, by focusing on that fact, the media is manufacturing a false illusion that it represents the solution to personal security in the digital age.  It's a failure of vision, of context; a knee-jerk reaction that ignores the broader problem that we just have no control over our digital lives.  

Google has provided a valuable service that it has probably implemented in the best way it can right now, but it is too hard to use for the common digital citizen, and that's the problem.  Adding layers of complexity only serves to remind us of how difficult security is.  That's not particularly helpful.

An aside: How do I get around the text charges?  I use Google Voice to receive all of those texts.  When the password that allows me to access Google Voice expires in 30 days, I've set up the service with an alternative phone number to call, my mobile number, that happens to be my Android device.  What happens if they both expire at the same time (say I take an extended trip)?  Hmmm, I may have to rethink this whole thing.

Update - I more recently discussed how Google's system generally fails to meet the bar of being "Two Factor Authentication (2FA)" and instead represents an example of "Two Step Verification (2SV)." Jump to my associated post to have a better understanding of what the difference is between the two approaches and why that difference is important.