Thursday, April 07, 2011

Google 2-factor Authentication (aka OTP) and Application Specific Passwords

This should be more widely publicized as it is now available for every one.

When I search for "Google 2-factor" on Google.com, the best I get is news on 2-factor and not a direct link.  Hopefully, this quick write-up will help some people find this.

What is it?
2-factor or OTP (One-Time-Passcode) (or 2-step verification) is a 2nd level of security that can be added to a Google account.  This technology is not exclusive to Google, but we're lucky that Google offers it.  The way it works is that you use a mobile phone to generate a passcode that only lasts for a very limited period of time.  You then enter this password along with your normal password when you sign into your Google account on the web.

Here's what it looks like after you enter your user name and password and you have 2-factor enabled:



The codes that you'll be generating will look something like this:  581775


You'll need a cell phone that you carry around often.  Once you enable and setup 2-step verification, any computer or new browser you use will show you a screen like the one pictured above.  You'll need your phone and an application installed on your phone to generate a code.  You'll enter this code into the box to sign-in.  Google supports Android, Blackberry, and iPhone through native apps for each platform.  But, if you have a dumb phone, you can select an option to use SMS text messaging.  If all you have is a landline you can even have Google send an automated voice message to deliver your passcode!  This means that anyone who usually has a phone nearby should be able to use this feature.

Using 2-step verification will also enable the use of Application Specific Passwords.  This might, at first, turn some people off of the idea.  However, I highly recommend using these, too.

What are Application Specific Passwords?
If you never access any Google accounts or apps through anything but a web browser, then you don't need to worry about Application Specific Passwords.  If you use native chat clients, an Android or iPhone to access your Google account (through the apps, not the web browser), POP or IMAP email clients like Outlook or Apple Mail, or you use automated scripts to access your Google account, then you'll need to understand and use Application Specific Passwords.

Application Specific Passwords are set up through your Google account and are used to grant access only to the applications you specify.  One "Specific Password" for each "Application."  If you use Adium to sign into Google Talk, then you'd go to your account page, generate an Application Specific Password for Adium, and then enter that into the "Password" field in Adium.  You use the Application Specific Password you generated from your Google account instead of using your normal Google password.

The generated password will be long and difficult, but you can just copy and paste it from your Google accounts page.  You should never have to memorize this Application Specific Password.  And, don't worry -- if you lose it you can pull it up again later.

You can probably see that if Google turned on 2-step but allowed external programs to access your account without 2-step, then that would leave a hole in the 2-step security mechanism.  There are actually some great advantages to Application Specific Passwords beyond just patching a security hole:

  • If you suspect your password for your email client has been stolen, you don't have to reset your Google password at all.  You just have to delete the old one, revoke access, and then generate a new one just for that one application.
  • You always know exactly which apps are accessing your Google account because you gave them access from your accounts page.  And if you suspect one is compromised, again -- you can just revoke access.
So, let's say you are a Google user.  You use Gmail from the web, you use Adium to log into Google Talk, you use Apple Mail to check your Gmail, and you have an Android phone.  Here's what you'll be doing:

  1. Set up 2-step verification on your Google Account.
  2. Download the Google Authenticator app for Android.
  3. Install Google Authenticator on your Android.
  4. Start using 2-step.
  5. Set up an Application Specific Password for your Android phone's login through Google Accounts.
  6. Generate an Application Specific Password for Apple Mail.  Start using it to check your mail.
  7. Generate an Application Specific Password for Adium, and start using it right away.
Then you and your account will be that much more secure.  Any time you (or, more importantly, someone else) tries to access your Google Account from another web browser, a second password step must be completed (thus, 2-step).  Your 2-step verification code will have to be entered.  If it's not you on the other end of the screen, and it's instead a bad guy trying to get in, his hacking attempt will be stymied!  He won't have your phone to generate the verification code.  If any other application besides the ones you've authorized try to access your account (even if they have your main Google password), they will also fail.

More astute readers can probably come up with several implications.  For example, let's say you have a prying mother, ex-girlfriend, landlord, thief, hacker, cat, or dog who has been routinely and furtively spying on you because she's had your Google Account password.  Well, the next time this amateur casually types in your password, she will be greeted with this extra verification screen.  Someone could be regularly using your account right now without you even knowing it, and by applying these optional security measures you'd be locking them out of ever accessing your account again.

However, when you log in to your account, you'll just whip out your trusty cell phone, punch in your code, and be using your Google Account with ease.

Also, note that there is an option to have your browser save your verification on the particular browser you're using for 30 days.  This way, if it's your home computer, you don't have to punch in a verification every time.  Use this feature sparingly -- I would only use it on my home computer.  Now you see another implication -- you can use those scary public computers and kiosks with a lot more confidence!  Even if there are key-loggers installed, they won't have your verification code for the next log-in because it constantly changes.  It doesn't matter if any one gets your temporary code.  It's not possible to predict or derive future codes from the current code.  Once you use the current code it won't be reusable.

Doing the Two-Step
To start setting up 2-step verification, go here:  https://www.google.com/accounts/SmsAuthConfig while logged into your Google account.

You'll see a screen like this:


Now it will guide you through the process to setup 2-step verification.  Since I started writing the draft for this article, Google has published some good documentation about it.  Here's a link to the documentation to get you started and help you understand exactly what you're getting into:

2-step:
http://www.google.com/support/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056284

Application Specific Passwords:
http://www.google.com/support/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056286

At first, you may bemoan the very idea of having yet another security loop to jump through.  But, I hope that I've helped you understand the implications and shed some light on the very real and cogent benefits to using these options.  Two-step verification can be disabled if you decide you don't like it.  I haven't regretted switching over yet.  At first, the extra step was a minor inconvenience, and now it's an unobtrusive good habit.