Am I the only person in the world who doesn't have a cell phone? It annoys me that the two-factor auth setups at sites (like Google) assume I have one and don't even have an option for "I don't have a cell phone, please stop nagging me about this."
Still, if I plan to use Google Authenticator, I don't want to give Google my phone number at all. When they insist to get the phone number from me, I don't like it.
I don't think you need to get them a phone number. I use Google Authenticator app on my iPhone, and didn't give them anything. It just scanned a barcode on a webpage IIRC.
The bar code was actually just a code to initialize the code generation (I think it is based on that randomly generated seed and the time, so that then server and client generate the same keys). You could have also typed in the code by hand.
How do you get 2-factor auth enabled at all without entering a phone number? Their help page says that you can switch from phone-based to Google-Authenticator-based authentication after enabling 2fa, but I can't find a way to skip the phone step for turning it on in the first place. This is the screen I get when I click to enable: http://i.imgur.com/cm6Km.png
Sorry, a bit off-topic, but that reminded me of one fun fact.
In Russia, most social networks these days require that you sign up with a mobile number. You cannot start using your account without receiving an SMS verification code.
Buy a $20 used phone and get the cheapest pay-as-you-go plan you can find (you'll only be using the phone to receive text messages, so it should be really cheap) and consider it a somewhat impractical Google Authenticator hardware dongle.
Note that even a cheap, pay-as-you-go phone emits a breadcrumb trail of mobile network (and possibly GPS) location information. Unless you power it down between connection attempts. In which case it still emits breadcrumbs, though fewer.
Perhaps I meant it as a half-rhetorical question; I'm not the only person I know who doesn't have a cell phone, and if you take moment to consider it, I'm sure you'll realize that you know some people in the same position.
There are in fact significant demographics - children and the elderly - where cell phone adoption is rather low. Ironically enough, these are the very groups where enhanced security measures may be most useful.
> if you take moment to consider it, I'm sure you'll realize that you know some people in the same position.
Actually no, I can't think of anyone. Buy an iPod Touch and install Google Authenticator, you will have all the inconveniences of not having a phone but enjoy the security benefits of two-factor authentication.
You shouldn't have to carry an electronic device, though: a list of codes on paper can work fine. That's how the NemID system works, for example (http://en.wikipedia.org/wiki/NemID): I have a big list of challenge/response codes that I carry in my wallet, and each is used once. I use that one successfully to log into my bank with two-factor authentication, but since I have no cell phone, iPod, iPad, or Android device, I can't use Google's version.
What's weird is that Google even sort of supports the numbers-on-paper approach, but for some reason they limit it to 10 numbers.
edit: Hmm actually thought of a possible solution. Looking into how hard it'd be to port the Google Authenticator to a non-mobile platform so I can run it on my laptop.
edit2: Although it looks like you can't enable the Google Authenticator method without first enabling the SMS method...
>edit: Hmm actually thought of a possible solution. Looking into how hard it'd be to port the Google Authenticator to a non-mobile platform so I can run it on my laptop.
Just install an android emulator, e.g. YouWave, and use that virtual android device to run GA.
You can print out more than 10, but only 10 are valid at any given time. There's a link at the bottom of the page with the codes to generate 10 more. I suspect they do this so people don't print out 1000 only to be using 10 (or less) at any given time.
Although it looks like you can't enable the Google Authenticator method without first enabling the SMS method...
I'm not sure about this (it was a while ago when I installed it), but I know you can install it on a new device after previously having it installed on another device (which disables it on the first device) without an SMS.
Why are you the only person in the world who doesn't have a cell phone? Why would you assume that super-large companies would consider your single-person use-case?
You can use a YubiKey for Google 2-factor along with a helper app like Yubikco's "sidekick" for Windows [1] or my company's OneTime on Mac [2]. A YubiKey costs about $25 but is very portable, fast and convenient option.
No; I know dozens of people, including myself, who do not have cell phones, and have no intention of getting one. I find this an extremely obnoxious assumption by Google (and others) -- it's not like we're luddites; it's frequently the programmers I know who are least willing to carry a cell phone.
I did this a few months ago, but I'm thinking of turning it off. I know it's trivial, but there's something deeply annoying about being dinged $0.20 a pop for the SMS message to get the code.
I'll have to see if I can set up the Google Authenticator; I hadn't heard of that before.
Even without GA (which, if you have an Android or iPhone, I don't see why you'd have to be without) $0.20 a month seems an incredibly small price to pay for the benefit of 2-factor auth.
I know, it's irrational, but it adds an extra annoyance factor, far more than it should. I mean, I spend far more every time I take the subway somewhere. Driving across the GW bridge costs $12, and I don't worry myself about that.
It turns into four or five SMS every month, when I usually average zero (various computers, various browsers, etc.) So suddenly, there's this line item where there used to be none. I can't explain quite why it bugs me.
In any case, I hadn't heard of GA before. I've installed it and life is good.
Not on AT&T, as far as I can tell. It's either $20/month for unlimited messaging, or $0.20 each. So, unless you're sending or receiving more than 100 messages a month, you're better off without a plan.
I've got a 200 message/month plan from AT&T for $5 a month. My only complaint is that I can't share messages across the two lines on the account so each gets billed $5. (Also, no data plan.)
Standard American mobile billing is to bill both parties, both caller and callee, for both voice and SMS. Contrary to the European practice where caller/sender pays everything.
Mostly it's a downside for Americans, but one plus is that it means the caller's fee doesn't vary based on callee: unlike in some European countries (or Skype), calling a landline vs. a mobile phone doesn't charge the caller different rates.
> Standard American mobile billing is to bill both parties
That's the most bizarre thing I've heard in weeks. Honestly, I'm still laughing. BOTH for SMS and voice?!! God, that's just crazy. No wonder you Americans hate telco companies so much. And I though 0.25 cents (only for outgoing SMSs) that we pay here is absurd.
For voice I actually like it somewhat better: I hate the European system where the caller can be charged extra because the recipient happens to be on a mobile phone, which you can't always even know before calling. In some cases it can be large; I've been charged $0.30/minute calling a Greek mobile phone in the past, as the caller, when I didn't know I was calling a mobile phone (if it were a landline I would've been charged <$0.10/min). I much prefer the American system where the caller just pays the flat calling-out rate, and it's the owner of the mobile phone who's responsible for the extra cost of mobile.
The reason I find it absolutely crazy is that you can't stop people from sending you messages. You can blacklist them (or use a whitelist) of course, but that's still "after" the offense. What happens if a millionaire prankster sends you 20 messages some day? You have t cough up something because of his prank? I find it unreasonable.
But I don't find paying more for calling a cellphone objectionable. A wireless call requires more resources and money for telco company than a wired one (they put wires in houses decades ago and have forgot about it (the maintenance cost is not huge), but they have to actively setup new towers for different locations in cities and change the old ones). It costs them more, so they charge more and I pay more.
> ... you can't stop people from sending you messages
I did. I grew weary of paying for text messages that I have no interest in receiving, so I simply called AT&T and told them to turn off SMS entirely. Since 95% of my phone messaging is via iMessage, and the other 5% is via free Google Voice SMS, I'm not giving up anything at all by turning off my carrier's SMS. I'm not interested in giving a single SMS-related penny to the telecom oligopoly.
Back when cell phones weren't ubiquitous, I once worked at a start-up where one of the really rich technical leads thought it was unfair that he got charged when people called him on his cell phone. I guess he thought that the peons who could only afford land lines were supposed to subsidize him. Which I could have forgiven as plain old selfishness, but he also constantly complained about how unfair society was to the poor.
That specific combination of attributes still bugs me.
It's a good idea, but it's not the weakest link in user security right now. It does very little to solve problems like Apple positively identifying people based on totally insufficient and publicly available information.
> It's a good idea, but it's not the weakest link in user security right now
I suspect Google is in a better position to judge how widespread account compromises are than you are. From my perspective, it definitely seems like security people are all saying that account compromises (keyloggers, phishing) have been the predominant threat for several years now because they're suitable for bulk attacks whereas social-engineering Apple is a more limited, if deeply disturbing, process.
>I suspect Google is in a better position to judge how widespread account compromises are than you are.
There are a couple of problems with that reasoning. First off, I don't see where anything Google has said contradicts my point. Yes, MFA is a good idea. But that doesn't mean it's enough to prevent attacks like the one in question.
Secondly, Google is not an unbiased source on this matter. For cloud services to succeed (which Google is banking on), it is very important that people perceive that they (the people) have some kind of control over their own security. It is reassuring to hear "here are some steps you can take to make yourself safer". It is terrifying to hear "your security ultimately hinges on the competence of some of the lowest-paid employees of the faceless corporations you rely on".
Both of those statements are true, but you're never going to hear the latter emphasized by Google or any other company heavily invested in the continued success of cloud based services. (Which is not to imply that they are dishonest; bias is usually as more about delusion than deception)
My point was simply that Google sees enough attempts to compromise Gmail accounts that I believe them when they claim widespread attacks using valid passwords are common enough that passwords are broken.
> Yes, MFA is a good idea. But that doesn't mean it's enough to prevent attacks like the one in question.
It would have stopped this one, in several ways: according to Honan's writeup, it would have halted things at a key point in the chain of account compromises. Yes, it's true that you have to trust companies - but that's always been true, even 100% off-line, as any victim of identity theft could tell you. The key point is that having any sort of MFA schema would have contained the damage to one company, halting the cascade.
I did this but was expecting more from Google. As an example, it was easier to add two factor auth to my Blizzard account (and install their authenticator) than it was for Google. These are the steps for Google:
- Add mobile phone to account
- Enter code from SMS
- Generate random passwords for multiple apps which don't support two factor auth (this took awhile).
- I wasn't given any instructions on how to switch from SMS to Google Authenticator app so I had to search for those instructions and then set that up.
Granted Blizzard controls the entire experience, they're not dealing with 3rd party apps, but it seems like Google could make this easier. And once it's trivially easy to setup, then it can be made the default.
The difference is, as you mention, that for your Blizzard account there is one app that needs to be changed to use 2FA, whereas with Google you are using your account from dozens of apps that they do not control and that can not be made to support the 2FA login process. It's an unfair comparison.
Two-factor auth gets old really fast when you have to use public computers in a setting like a college library. I had turned it on for a while, but turned it off when I had 5 minutes to print out a paper that I had emailed myself (yes, I still do that) and was fiddling with my phone to get the damn PIN. Never again.
Maybe it's just me but I only trust computers I control.
If you don't have root on a box, consider it pwn3d with keyloggers listening to every juicy password you type. Take that as your friend's laptop, a library computer or even your parent's Windows XP box...
Sure I could. Not denying that there are other ways to get access to the files I need, just that this has become a part of my workflow that two-factor auth disrupts.
I think having a second gmail address just for emailin yourself files for public computers might work for you. Keep your personal email safe, and forward what you need to the other address. It's a good compromise.
Don't underestimate how vulnerable you are when your email gets hacked - virtually every service you use can be accessed by the forgotten password mechanism when your email is breached. I'm pretty lazy and have procrastinated for a long time, but with the recent attacks and realizing what a mess I could face if hacked I finally implemented two factor auth and I have no regrets yet.
The problem of having to type in your password on an unsecured machine still exists.
To access files in this situation, a better approach would have been to upload the file to a webserver. You can then safely download it from the library computer without anything being compromised.
You'd only have to type in the password for an email you don't care about from the unsecured computer, as long as you knew ahead of time to forward the things you needed to print from the library computer. The web server method seems a little less secure since rather than having your files behind a non-two factor email account, they're publicly available. How is that better?
True, but you can only go so far down the rabbit hole until you think you've done enough due diligence to remove as much risk as you feel comfortable with.
Well, is that 5-minutes-to-print an edge case or a more than occasional situation? If the latter, how hard is it to create an alternate email account in which you send non-confidential emails/docs on the spur of a moment?
If it's an edge case, it seems like a trivial one for reducing your security so much. As your documented online data grows, the chance of being hacked only grows. And once you've been hacked, there's really no going back if the attacker decides to do a data-dump and now forever holds your information in perpetuity.
Yeah, yeah, I should probably turn it on. And while I'm at it, I should probably eat more vegetables, less red meat and go to the gym. But I don't see those happening either ;).
Seriously though, when you have to enter the PIN multiple times a day, it gets annoying.
If you're entering it multiple times a day due to using public machines then you really, really should be using two-factor auth as many systems you use may be compromised in one way or another.
How much "fiddling" do you have to do to get your PIN? Unlock code or symbol, select authenticator app, read PIN? On top of loading Gmail and entering your user/pass?
To me, the use case you describe would make me very happy to be using two factor auth - logging into a very important personal account using untrusted, public computers I don't control. I'd be glad for the extra hassle with that.
Something Google could to do drastically improve the security of their two-factor authentication system is to add the ability to give more granular permissions with the application-specific passwords.
I have an application that only needs to send E-Mail through my GMail account (git-send-email), another that only needs to write to one specific GMail label (Android SMS Backup), and Google Chrome surely doesn't need access to everything. But you'd get full access to my account if you compromised any of these.
They already have this for the Connected Sites, Apps, and Services. I sent them a feature request for this a while ago but it hasn't been answered (and there's no way to view it online).
It still does; I had to go through this yesterday. I don't mind Chrome so much per se, but this also means you need an application-specific password for Chrome OS, at least for he initial sign-on, which I find oddly frustrating.
It does if you set up the sync account via the Settings page, but if you ignore the request to sign in, visit some Google page that requires login and log in, Chrome will produce a yellow bar at the top of the screen asking if you want to use that account for Chrome sync. Click yes and you don't need to sign in any further.
> I have an application that only needs to send E-Mail through my GMail account (git-send-email), another that only needs to write to one specific GMail label (Android SMS Backup)
Maybe you should use throwaway accounts for these purposes? That is, have a gmail account for github to send your patches through, and have that forward to your main email account?
In the SMS-backup case...how important is it that you access your SMSes in your Gmail account? My first thought is: it's bad enough that someone breaks into my email, nevermind all my SMSes. But I guess if you have a workflow that requires easy access to SMSes with your email, you can still have a separate email account that does nothing but forward it onto your main account.
So your main account, theoretically, has strong security with the two-factor authentication without having to make backdoors for external apps. People can always break into your throwaway accounts, but they'll have no particular inroad into your main account.
And presumably, you'd have a decent window of time to detect an intrusion and administer the throwaway accounts with your main GMail account
They should at least go as far as create/read/delete.
Then I can uncheck delete for my chat apps. Edit: And grandparent could uncheck read and delete for a couple of their use cases (which is a pretty big improvement).
AFAIK it is still against Google's policies to have more than one gmail-account? That doesn't mean it won't work, of course, but you might end up with Google turning off all your accounts, with no real recourse to fix the situation.
Why do you need access to your google account to send email from github? From:-headers are designed to be readily "forged" (or rather, set to whatever you want). Just send email through wathever means you use, optionally adding a bcc to your own account, if you want a copy of the actual email in your gmail folder?
>> Create multiple user accounts in connection with any violation of the Agreement or create user accounts by automated means or under false or fraudulent pretenses
Also, Google gives you the option of managing multiple Google identities from one account.
Yes, I believe you are right -- I can't find any general restrictions against multiple accounts, or service "subscriptions" either. I seem to recall things were different a while back. Now you can apparently create as many google logins as you like, and associate them with (among other services) gmail.
But, after a few minutes of searching, I can't find any actual promises that google will keep neither your logins, nor your services (eg: gmail) operating -- for any reason.
I guess this is worse if you actually pay them money (did they finally come up with a QOS-statement for paid accounts?)...
For me, Android SMS Backup is definitely convenience over security.
However, some type of SMS backup is required: if the Android SMS SQLite db is ever even slightly corrupted (power loss/program crash [usually when db is large]/etc.), Android will silently delete it: http://code.google.com/p/android/issues/detail?id=10127
Indeed. I have created a couple application passwords for "Verbs" IM on my iPad and my iPhone (though I rarely use chat, but added them just in case). I'd feel safer if I knew these guys can only see see my contacts and send/receive messages. Right now they can see all my emails and probably everything else that's on my google account.
I totally agree with this. I have to be careful where I use app-specific passwords. Currently, I only trust the keychain on my Apple devices, and would never store one of these passwords in plaintext.
I'm sure someone is probably working on this, but what about a service that generates a one off seed for the second stage of auth, married with either a desktop or smartphone app for generating it for the user. Lose your phone/laptop/PC simply cancel it remotely so it stops generating, same as you would if you lost your bank card.
I'm sure I'm missing something, but I'm not sure what.
EDIT: I'll let the post stand but I need to read more clearly, I thought Google Authenticator was purely for Google services.
You can actually authenticate against the GA product from any system - hook it into PAM for sshd access, use it for another factor in OpenVPN, or even just wire it into Apache:
I was worried this would be a major pain when I enabled it, but I have to say, it has been much more painless than I thought it would be. Most of the time, I don't even think about it. Most of my consumption of google mail is through clients on my laptops, iPhone, or iPad. So in that sense, it's not much different from a regular password. The difference is that someone else has a much harder time cracking my account. It's actually much less obtrusive than using lastpass (also highly recommended, but not as transparently usable).
That being said, two factor google auth wasn't going to save Matt Honan here. Identity, trust, and authentication on the internet are all built on a foundation of sand. We need a new model.
If you've spent your career with RSA SecurIDs hanging from your keys, this isn't much of a hassle. I didn't realize that LastPass and others can use the Google Authenticator.
Why wouldn't two-factor authentication protected Mat from at least his GMail account being hacked? Even if password-resets were being sent to the .Me account, wouldn't the hackers still need to generate the authentication token?
According to Matt (and, apparently, his hacker) you're wrong; two-factor would have saved him in this particular instance: "If I had some other account aside from an Apple e-mail address, or had used two-factor authentication for Gmail, everything would have stopped here." (http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-hona...)
Naturally, it's not a panacea, but I think a lot of people allow perfect to be the enemy of quite good when it comes to two-factor auth.
Agreed, I missed that tidbit. I guess I was focusing on the idea that someone can wipe your iPhone, iPad, and Mac without ever touching your gmail account. As a father of two year old and 4 month old girls, the photos are the part that of the story that I find the most distressing. Everything else is upsetting, but you can rebuild contact lists and things. Those pictures are completely irreplaceable and it is just gut-wrenching for me to think about that.
That is terrible. Though, I don't understand why anyone would turn on a "find my Mac" feature that has the potential to wipe your entire hard drive remotely unless you have thorough backups. Time machine is dead easy to use; try pluging in a usb hard drive and it will ask you if you want to use this as a backup drive. Arc is something that anyone on the mac should use as well for backing up priceless pictures and files. It encrypts the files locally and then sends them to your amazon S3 bucket as a backup. Easy and cheap too as you are only charged what you backup at the S3 rate(as of now it's ~0.125/GB/Month +a very small amount for put and get requests).
I used two-factor authentication for about a year, and I just got so sick of it. I had no issue with the whole logging in and using the time-sensitive code from my Android phone. It was the support for all the other Google apps that drove me crazy. I got really tired of needing to generate new temporary passwords for access through iCal, Mail, and I think even sites like StackOverflow. Perhaps I was at a point in life where I had too many new devices and changes going on.
It's the typical security vs accessibility trade-offs. Accessibility won.
The app-specific passwords are a feature and if you prefer the extra security over being able to use apps that don't support 2-factor, then you can choose not to use them, and get the full security benefits of 2-factor. It's just that, short of expecting every single third-party client app to implement 2-factor authentication or not allowing access to any that don't, there's no alternative to the app-specific passwords.
They are strictly better than using a single password for everything though, in that they are unique and strong (due to being automatically generated and 16 characters long), and easily revocable.
Non-web apps don't have a UI for two-factor. App-specific password is a compromise, which is vulnerable if someone steals your local installation of the client to get its keys.
Right. Did I say something contradicting that? Google could have decided not to offer application-specific passwords at all, but from any individual user's perspective, that's exactly equivalent to just not using them. At least having application-specific passwords gives you the option, and is at least as secure as giving your master password away to every client application.
I suppose there is one possible negative consequence to users who opt not to use app-specific passwords: their existence alone removes some of the incentive for client applications to implement 2-factor themselves (which I don't know if Google even has an API for). And sure, it would be nice to have features like access control on a per password basis (e.g., so I could allow Pidgin to access only gchat, but no other part of my account). But the implication that the mere existence of application-specific passwords somehow makes Google's 2 factor auth useless is just wrong.
SO would not need a password generated. It would only require that you be authenticated with your Google account.
Two-factor is a pain on iOS devices where every Google app needs it's own unique password and frequently need a new one for every update. Android is a completely different story though and adds almost zero overhead.
Yes, it would. The idea behind two factor authentication is that an attacker now needs two things to access your account: Your password and your phone. With two factor authentication, even if an attacker acquires or changes your password (which is what happened in Matt's case), they still won't be able to login to your account.
I literally could not enter the 2-factor code into my Galaxy Nexus running 4.1.1. The process asked for my password, then redirected to Chrome to finish the process, which asked me for a code. I then switched to the Authenticator app to get the code, but then I couldn't switch back to the place to enter it. Whhaaaaa??? I tried this 3 times looking everywhere.
I finally gave up and turned off 2-factor auth. I'm guessing this is a limitation in 4.1.1, but it really, really sucks.
Several google tools don't have support for the standard 2-factor auth. Instead, you have to create a single use password for those devices. Watch the video on Cutts blog for info on how it works.
This was my android phone I'm talking about. It's clearly a bug in something on the phone. This isn't some "google tool".
I used 2-factor auth before on my phone (a much earlier version of android) and didn't have this problem. It's the typical thing with google: being on the bleed edge is just that, a pretty unsatisfying experience. I think next time a new android version comes out, I may wait a few months before I update.
I've been avoiding doing this, and I'm not certain the reason is valid - I don't want Google to have my mobile phone number. Perhaps I'm being overly cautious, but the fact Google already collects such a huge amount of data on me, coupled with the increasing insistent requests to enable two-factor with my mobile phone number, has made me not do it. I got so sick of being pestered about it that I stopped using Gmail a little while ago.
You don't need to enter your phone number to use Google's two factor. You can use their smartphone application to generate codes. If you don't want to do that, the algorithm is free and open-source so you can probably find an alternate implementation that works fine.
I don't think they need a phone number if you use the Google Authenticator app on your phone. The pin for that is generated based on an initial random seed and the current date/time, not your cell number.
This is the same reason I avoid it. They were insistent about getting my phone number when it was just to verify after a lockout. They've been extremely insistent about it lately regarding 2-factor authentication, which leads me to believe there's a motive here beyond just getting everyone more secure. Until someone can alleviate me of that concern I think I'll have to pass.
I can guarantee you that google knows your mobile number already. Do you have friends? do they know your number? do they have you saved as a google contact? game over.
If you are sufficiently paranoid there are probably call/sms-forwarding services available for a reasonable cost.
It's more than a little likely that they already have your number. They have your email address, and chances are that more than a few of your friends have a contact in their google contacts that has that same address alongside your phone number. You could argue that they can't be certain, but aggregated across however many of your friends have those same details stored for you they can make some pretty safe assumptions.
I'm always dumbfounded when these topics come up and a lot of people start saying how inconvenient it is, that it is all wrong. But these are probably the same people which later accuse Google that they didn't do enough to protect their accounts!
Yes, two factor authentication is a small hassle. Yes, two factor authentication requires a bit to set up. But do you realize how much actually depends on your email account being safe?
For one, how many times did you use Googles OpenID provider? Yes, that's your Gmail account! Or for how many services did you use your Gmail account as the email address? You know that password resets go to that account, right?
Don't do that? Maybe you use Google Calendar, then. So yes, there is actually a lot of sensitive data in there. If you don't believe me, try to get a hold of a friends calendar, and see what you can guess about that person just from the calendar.
Or should someone just post some slander about you on you G+ profile? Or buy some apps from the Android Market? Of course this things never happen to you...
So just take the time to, besides looking at the time or the latest message on your phone, open that stupid app and type that stupid code in! It's not THAT much work!
I just turned two-factor authentication on and it forced me to set "program specific" passwords for like 10 different apps and seriously messed up my phone. I had to deactivate it. What's with the hassle?
Not everything supports the 2-factor auth. And of course you have to set up specific passwords for those. ONCE! You wont have to do that again. What did you expect? That it magically made everything work? Some people -.-
And I have no clue how you managed to mess up your phone… By entering new passwords??
Why can't they just use my "old" password? I don't want to set up 10 new passwords. And yes, I was expecting it to magically work by just enabling it and enter the SMS code. This is too much hassle for something I don't really care about (I don't keep anything of value anywhere online or in my computer/phone).
Why? Maybe because that would defeat the whole purpose?
And why use a (relatively, before someone calls me out) high security measure for something unimportant in the first place? You wouldn't use a full biometric security scanner setup for your pantry either, would you?
Yeah, unfortunately it seems like the only rights it is missing is "update account information". Which is not much good when you are trying to protect your data.
Do those passwords have less rights? I figured that if any of those passwords got compromised, you were screwed (until you found out which one and revoked it).
This has always been the part I don't like about Google's 2-factor auth. Right now, I have one strong password that would have to be compromised to access my email. If I enable 2-factor, suddenly I have (last time I tried it) about 20 new passwords, any one of which could yield access to my email. That does not really seem more secure.
I think the more important question is whether it is less secure. It does make it harder to seize control of the account (which might be a lame consolation, but backups are a good idea either way), and it is (potentially) more convenient in the event that one device is lost or misplaced.
Someone who previously always logged out might be exposing themselves to more risk by storing the app passwords, but I think that's about the only case where it is worse.
It decreases the severity of a breach but increases the likelihood. Per-app passwords can't be used to take over an account. But they can be used to read my email. I think just shifting the permissions a little so that I can "authenticate" without also giving out the creds to my email would be acceptable.
really surprised so many people that post here refuse to use google authenticator because its "annoying." is it a hassle? yes, but if you have ever had your email (and other accounts) compromised you understand why it is worth that small 5 second hassle when you login.
one feature that i cannot understand why it hasnt been implemented though is protecting the app itself with a password or pin. some people say to just protect your whole phone, but i dont really want to do that because to me that _is_ too large a hassle. if i lose my phone i can revoke access to my email and other similar apps, but not if the person that finds it opens up google authenticator (which shows the account the id is used for) and logs in to change the password before i have a chance to. even just allowing for it to display an account nickname instead of full login would be a huge step forward
It's not a 5 second hassle. I don't get a cell signal in the steel gymnasium even though the wifi works fine. I physically have to go outside to get a code every time I want to log in. And then if my phone is not working, or I leave it at home, I'm screwed.
You can install a standalone app called Google Authenticator (it’s also available in the App Store), so your cell phone doesn’t need a signal.
Also:
You can print out a small piece of paper with 10 one-time rescue codes and put that in your wallet. Use those one-time codes to log in even without your phone.
You can create a new set whenever you want. However, generating a new set invalidates the previous set (so you can revoke access with those tokens if they are lost.
That's a fairly special case though right? The most common concern I hear (other than it's just too complicated) is privacy concerns. People are asking "why does Google want my cell"? What else is that number used for?
> but not if the person that finds it opens up google authenticator (which shows the account the id is used for) and logs in to change the password before i have a chance to.
The person finding your phone would have to either have access to your password, your backup email address or the answer to your security question (which you can write yourself).
Sigh, OK. I'm turning it on today. Was going to do it right now, but then I realized that I'm at Starbucks right now... probably not the best time to be messing with passwords.
Is there a way to use a separate hardware device? Using my phone as the second factor is nice, but my phone is vulnerable to theft because of its value for resale.
A sealed gizmo that shows a number just looks like an el-cheapo souvenier. Without knowing my username and password too, it really is worthless.
I hear a lot of people advising to turn on two factor auth on Google because of this incident, but I haven't heard anyone say that we should be deleting our card details from Amazon. Well, I have, and you should too. Lots of places use the last 4 digits of your card as "authentication", and Amazon happily displays those details in your account.
* Edit: Ah, technically they did break into the email account. The first time I read this I thought that they just had access to the account info page (doing things, such as purchasing or accessing account settings, requires password-entry by Amazon)
No, they did not have to break into the Amazon account.
> First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.
> Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time.
But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time.
Wow. That's really bad. I mean, it's stupid that Amazon allows that sort of thing (and it sounds like they may be working to fix it). But Apple going off just the last four digits? That's straight up retarded. Why isn't anyone asking about Apple's security policies? Thank Sagan I'm not an Apple customer.
Why is it stupid for Amazon to show the last 4 digits? Let's say I have 3 cards on file. If I want to modify card #2 for some reason (billing address, expiry date) what do I do? Sure, I can look at the other details and take a guess, but we're on HN. On an average, the normal customer would get frustrated.
> Why is it stupid for Amazon to show the last 4 digits?
I think npsimons was saying that it is stupid for Amazon to let you add a fake cc number and than take over an account using that same fake number. Not that they show the last 4 digits.
Ah well, then I stand corrected. So, now the question becomes, should you be allowed to add credit cards over the phone? Or does it become, how long should Amazon wait until they accept the new credit card as a valid ID?
For the second question, I'd say Amazon should wait until the user "confirms" the credit card. That is to say, send the user an email stating "Hi! New credit card added to your account. Click here to verify".
Also, every recent credit card receipt printer puts at least the last 4 digits on paper receipts. A little dumpster diving could easily reveal that data.
Just because a hacker can get the last 4 digits by physically being near you so they can obtain your receipts, doesn't mean that it's therefore worthless to remove that capability from hackers who are not physically near you.
Besides, you should be shredding/burning your receipts anyway.
Like the second class citizens of the web we are, Nigeria does not have 2 factor authentication.
Ghana, Pakistan, Iran, North Korea, Russia, all have 2 factor authentication. Why not Nigeria? This is just another example why being Nigerian is kinda hard on the internet.
It seems to work well with Firefox and Safari, but I've found that two-factor auth doesn't work well with Chrome if you've set it to clear cached files (not cookies) on exit. For some reason, that setting causes Chrome to lose the 30-day permission, so every time Chrome crashed or I rebooted my machine, I'd have to go through the SMS dance. Doesn't happen with the similar setting in Firefox.
Somebody should set up a website dedicated to listing organisations and what information is required in order to obtain access to an account at that organisation.
The reason I'm not using 2FA right now is twofold. First, because Google doesn't have half of their services using it for some undefined reason (for at least a year plus!). Also, the whole "app specific password" thing is a huge pain in the ass. (And appears to randomly stop working on say, IMAP mail).
Second, because the mobile authenticator is not feasible for me right now. I do a lot of android development work (well, mostly screwing around, but we'll call it work) on the side, with the result that I'm wiping my phone for romflashes at least once a week. Makes everything going through a mobile app a little useless.
I really wish Google would support a hardware token of some kind.
Yes, can someone explain why Google Chrome doesn't support 2FA on the desktop or iOS? It's bizarre.
(Well, I suppose it's tragically normal. I'm sure there is a corporate directive that says every Google service must support 2FA, but Chrome has an exception so they don't need to do it yet.)
OK, but it should be asking your for an authenticator code instead. It uses this bizarre "normal password + app specific password" requirement that isn't used anywhere else.
Your data is encrypted with the normal password, so it needs it to decrypt the sync data. The App-specific password is used to log in to the server to GET the sync data in the first place.
I don't think your information is up to date. I have definitely been asked for a verification code when logging into Chrome 22. And yes, I mean the kind of code generated by the Google Authenticator app, not an app specific password.
261 comments
[ 1.2 ms ] story [ 340 ms ] threadNamecheap, I'm looking at you. DNS web apps are a huge possible attack vector.
Also, RE the Google one time use passwords for POP/IMAP. They are all lower case, alpha/numeric, and 8 chars long.
How secure are they against brute force? Why wouldn't Google offer 16 char options, or even longer? Is 8 good enough?
Depends on how good their intrusion detection is.
I too would rather them be longer, and involve at least some numbers if not specials... but they're not THAT short.
Time to go and generate some new passwords!
Thanks everyone!
The least they could do if offer IP whitelisting like Linode does.
In Russia, most social networks these days require that you sign up with a mobile number. You cannot start using your account without receiving an SMS verification code.
There are in fact significant demographics - children and the elderly - where cell phone adoption is rather low. Ironically enough, these are the very groups where enhanced security measures may be most useful.
Actually no, I can't think of anyone. Buy an iPod Touch and install Google Authenticator, you will have all the inconveniences of not having a phone but enjoy the security benefits of two-factor authentication.
But 2-factor does mean there in an expectation you will have to carry some kind of token device.
What's weird is that Google even sort of supports the numbers-on-paper approach, but for some reason they limit it to 10 numbers.
edit: Hmm actually thought of a possible solution. Looking into how hard it'd be to port the Google Authenticator to a non-mobile platform so I can run it on my laptop.
edit2: Although it looks like you can't enable the Google Authenticator method without first enabling the SMS method...
Just install an android emulator, e.g. YouWave, and use that virtual android device to run GA.
http://en.wikipedia.org/wiki/Google_Authenticator#Implementa...
I'm not sure about this (it was a while ago when I installed it), but I know you can install it on a new device after previously having it installed on another device (which disables it on the first device) without an SMS.
[1] http://yubico.com/totp [2] http://zetetic.net/software-onetime
I'll have to see if I can set up the Google Authenticator; I hadn't heard of that before.
It turns into four or five SMS every month, when I usually average zero (various computers, various browsers, etc.) So suddenly, there's this line item where there used to be none. I can't explain quite why it bugs me.
In any case, I hadn't heard of GA before. I've installed it and life is good.
You don't even need one of those, there are implementations of the same algorithm for other systems. I use my Nokia S60 with a J2ME application: http://ds3global.com/index.php/en/news-a-events/news/97-secu...
Mostly it's a downside for Americans, but one plus is that it means the caller's fee doesn't vary based on callee: unlike in some European countries (or Skype), calling a landline vs. a mobile phone doesn't charge the caller different rates.
That's the most bizarre thing I've heard in weeks. Honestly, I'm still laughing. BOTH for SMS and voice?!! God, that's just crazy. No wonder you Americans hate telco companies so much. And I though 0.25 cents (only for outgoing SMSs) that we pay here is absurd.
Paying both ways for SMS is a bit silly, though.
But I don't find paying more for calling a cellphone objectionable. A wireless call requires more resources and money for telco company than a wired one (they put wires in houses decades ago and have forgot about it (the maintenance cost is not huge), but they have to actively setup new towers for different locations in cities and change the old ones). It costs them more, so they charge more and I pay more.
I did. I grew weary of paying for text messages that I have no interest in receiving, so I simply called AT&T and told them to turn off SMS entirely. Since 95% of my phone messaging is via iMessage, and the other 5% is via free Google Voice SMS, I'm not giving up anything at all by turning off my carrier's SMS. I'm not interested in giving a single SMS-related penny to the telecom oligopoly.
That specific combination of attributes still bugs me.
I suspect Google is in a better position to judge how widespread account compromises are than you are. From my perspective, it definitely seems like security people are all saying that account compromises (keyloggers, phishing) have been the predominant threat for several years now because they're suitable for bulk attacks whereas social-engineering Apple is a more limited, if deeply disturbing, process.
There are a couple of problems with that reasoning. First off, I don't see where anything Google has said contradicts my point. Yes, MFA is a good idea. But that doesn't mean it's enough to prevent attacks like the one in question.
Secondly, Google is not an unbiased source on this matter. For cloud services to succeed (which Google is banking on), it is very important that people perceive that they (the people) have some kind of control over their own security. It is reassuring to hear "here are some steps you can take to make yourself safer". It is terrifying to hear "your security ultimately hinges on the competence of some of the lowest-paid employees of the faceless corporations you rely on".
Both of those statements are true, but you're never going to hear the latter emphasized by Google or any other company heavily invested in the continued success of cloud based services. (Which is not to imply that they are dishonest; bias is usually as more about delusion than deception)
> Yes, MFA is a good idea. But that doesn't mean it's enough to prevent attacks like the one in question.
It would have stopped this one, in several ways: according to Honan's writeup, it would have halted things at a key point in the chain of account compromises. Yes, it's true that you have to trust companies - but that's always been true, even 100% off-line, as any victim of identity theft could tell you. The key point is that having any sort of MFA schema would have contained the damage to one company, halting the cascade.
Granted Blizzard controls the entire experience, they're not dealing with 3rd party apps, but it seems like Google could make this easier. And once it's trivially easy to setup, then it can be made the default.
If you don't have root on a box, consider it pwn3d with keyloggers listening to every juicy password you type. Take that as your friend's laptop, a library computer or even your parent's Windows XP box...
Trust no one, Mr. Mulder.
/tinfoilhat
Don't underestimate how vulnerable you are when your email gets hacked - virtually every service you use can be accessed by the forgotten password mechanism when your email is breached. I'm pretty lazy and have procrastinated for a long time, but with the recent attacks and realizing what a mess I could face if hacked I finally implemented two factor auth and I have no regrets yet.
To access files in this situation, a better approach would have been to upload the file to a webserver. You can then safely download it from the library computer without anything being compromised.
http://cm.bell-labs.com/who/ken/trust.html
If it's an edge case, it seems like a trivial one for reducing your security so much. As your documented online data grows, the chance of being hacked only grows. And once you've been hacked, there's really no going back if the attacker decides to do a data-dump and now forever holds your information in perpetuity.
Seriously though, when you have to enter the PIN multiple times a day, it gets annoying.
I have an application that only needs to send E-Mail through my GMail account (git-send-email), another that only needs to write to one specific GMail label (Android SMS Backup), and Google Chrome surely doesn't need access to everything. But you'd get full access to my account if you compromised any of these.
They already have this for the Connected Sites, Apps, and Services. I sent them a feature request for this a while ago but it hasn't been answered (and there's no way to view it online).
Maybe you should use throwaway accounts for these purposes? That is, have a gmail account for github to send your patches through, and have that forward to your main email account?
In the SMS-backup case...how important is it that you access your SMSes in your Gmail account? My first thought is: it's bad enough that someone breaks into my email, nevermind all my SMSes. But I guess if you have a workflow that requires easy access to SMSes with your email, you can still have a separate email account that does nothing but forward it onto your main account.
So your main account, theoretically, has strong security with the two-factor authentication without having to make backdoors for external apps. People can always break into your throwaway accounts, but they'll have no particular inroad into your main account.
And presumably, you'd have a decent window of time to detect an intrusion and administer the throwaway accounts with your main GMail account
Then I can uncheck delete for my chat apps. Edit: And grandparent could uncheck read and delete for a couple of their use cases (which is a pretty big improvement).
Why do you need access to your google account to send email from github? From:-headers are designed to be readily "forged" (or rather, set to whatever you want). Just send email through wathever means you use, optionally adding a bcc to your own account, if you want a copy of the actual email in your gmail folder?
https://mail.google.com/mail/help/intl/en/program_policies.h...
>> Create multiple user accounts in connection with any violation of the Agreement or create user accounts by automated means or under false or fraudulent pretenses
Also, Google gives you the option of managing multiple Google identities from one account.
But, after a few minutes of searching, I can't find any actual promises that google will keep neither your logins, nor your services (eg: gmail) operating -- for any reason.
I guess this is worse if you actually pay them money (did they finally come up with a QOS-statement for paid accounts?)...
However, some type of SMS backup is required: if the Android SMS SQLite db is ever even slightly corrupted (power loss/program crash [usually when db is large]/etc.), Android will silently delete it: http://code.google.com/p/android/issues/detail?id=10127
Two factor-auth, via SMS, may not have saved Matt Honan.
Or buy a prepaid phone, and don't use the number for anything else.
I'm sure I'm missing something, but I'm not sure what.
EDIT: I'll let the post stand but I need to read more clearly, I thought Google Authenticator was purely for Google services.
http://code.google.com/p/google-authenticator-apache-module/
That being said, two factor google auth wasn't going to save Matt Honan here. Identity, trust, and authentication on the internet are all built on a foundation of sand. We need a new model.
Naturally, it's not a panacea, but I think a lot of people allow perfect to be the enemy of quite good when it comes to two-factor auth.
It's the typical security vs accessibility trade-offs. Accessibility won.
Now, you've got several passwords that work, instead of 1 and a keyfob. Ugh.
Edit: Apparently, you can't log into the web interface with those passwords. That's a step in the right direction, but still not fully secure.
They are strictly better than using a single password for everything though, in that they are unique and strong (due to being automatically generated and 16 characters long), and easily revocable.
I suppose there is one possible negative consequence to users who opt not to use app-specific passwords: their existence alone removes some of the incentive for client applications to implement 2-factor themselves (which I don't know if Google even has an API for). And sure, it would be nice to have features like access control on a per password basis (e.g., so I could allow Pidgin to access only gchat, but no other part of my account). But the implication that the mere existence of application-specific passwords somehow makes Google's 2 factor auth useless is just wrong.
Two-factor is a pain on iOS devices where every Google app needs it's own unique password and frequently need a new one for every update. Android is a completely different story though and adds almost zero overhead.
I finally gave up and turned off 2-factor auth. I'm guessing this is a limitation in 4.1.1, but it really, really sucks.
I used 2-factor auth before on my phone (a much earlier version of android) and didn't have this problem. It's the typical thing with google: being on the bleed edge is just that, a pretty unsatisfying experience. I think next time a new android version comes out, I may wait a few months before I update.
Nothing says that number needs to be your mobile (or one that you have regular access to) but you do need to provide one.
If you are sufficiently paranoid there are probably call/sms-forwarding services available for a reasonable cost.
Yes, two factor authentication is a small hassle. Yes, two factor authentication requires a bit to set up. But do you realize how much actually depends on your email account being safe?
For one, how many times did you use Googles OpenID provider? Yes, that's your Gmail account! Or for how many services did you use your Gmail account as the email address? You know that password resets go to that account, right?
Don't do that? Maybe you use Google Calendar, then. So yes, there is actually a lot of sensitive data in there. If you don't believe me, try to get a hold of a friends calendar, and see what you can guess about that person just from the calendar.
Or should someone just post some slander about you on you G+ profile? Or buy some apps from the Android Market? Of course this things never happen to you...
So just take the time to, besides looking at the time or the latest message on your phone, open that stupid app and type that stupid code in! It's not THAT much work!
And I have no clue how you managed to mess up your phone… By entering new passwords??
And why use a (relatively, before someone calls me out) high security measure for something unimportant in the first place? You wouldn't use a full biometric security scanner setup for your pantry either, would you?
Hopefully they figure out a nice way to make the rights more granular (so that a chat app can't mess with email or whatever).
So instead of losing access to your account, you just lose all your email (yay!).
Someone who previously always logged out might be exposing themselves to more risk by storing the app passwords, but I think that's about the only case where it is worse.
one feature that i cannot understand why it hasnt been implemented though is protecting the app itself with a password or pin. some people say to just protect your whole phone, but i dont really want to do that because to me that _is_ too large a hassle. if i lose my phone i can revoke access to my email and other similar apps, but not if the person that finds it opens up google authenticator (which shows the account the id is used for) and logs in to change the password before i have a chance to. even just allowing for it to display an account nickname instead of full login would be a huge step forward
You can install a standalone app called Google Authenticator (it’s also available in the App Store), so your cell phone doesn’t need a signal.
Also:
You can print out a small piece of paper with 10 one-time rescue codes and put that in your wallet. Use those one-time codes to log in even without your phone.
The person finding your phone would have to either have access to your password, your backup email address or the answer to your security question (which you can write yourself).
A sealed gizmo that shows a number just looks like an el-cheapo souvenier. Without knowing my username and password too, it really is worthless.
YubiKeys are relatively cheap and would provide a nice alternative to using a phone, IMO.
Either way, using the last 4 digits as 'security' is just stupid. You can get those from a receipt.
No, they did not have to break into the Amazon account.
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-hona...
> First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.
> Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time.
Wow. That's really bad. I mean, it's stupid that Amazon allows that sort of thing (and it sounds like they may be working to fix it). But Apple going off just the last four digits? That's straight up retarded. Why isn't anyone asking about Apple's security policies? Thank Sagan I'm not an Apple customer.
I think npsimons was saying that it is stupid for Amazon to let you add a fake cc number and than take over an account using that same fake number. Not that they show the last 4 digits.
For the second question, I'd say Amazon should wait until the user "confirms" the credit card. That is to say, send the user an email stating "Hi! New credit card added to your account. Click here to verify".
Just because a hacker can get the last 4 digits by physically being near you so they can obtain your receipts, doesn't mean that it's therefore worthless to remove that capability from hackers who are not physically near you.
Besides, you should be shredding/burning your receipts anyway.
Ghana, Pakistan, Iran, North Korea, Russia, all have 2 factor authentication. Why not Nigeria? This is just another example why being Nigerian is kinda hard on the internet.
https://accounts.google.com/b/0/SmsAuthConfig
http://oonwoye.com/2011/01/23/life-as-a-second-class-citizen...
Can Nigerians use the Google Authenticator app?
If yes, then the answer is probably high SMS costs.
It is exactly why I put the range of countries above. Can we be in a worse situation than them all?
Second, because the mobile authenticator is not feasible for me right now. I do a lot of android development work (well, mostly screwing around, but we'll call it work) on the side, with the result that I'm wiping my phone for romflashes at least once a week. Makes everything going through a mobile app a little useless.
I really wish Google would support a hardware token of some kind.
(Well, I suppose it's tragically normal. I'm sure there is a corporate directive that says every Google service must support 2FA, but Chrome has an exception so they don't need to do it yet.)