I love, love, love the idea of Two-factor authentication. Basically, 2-factor authentication requires you to have something you know (like a passphrase) with something you have (like a token or key). A totally meatspace example of two-factor authentication is the key to your house. Someone couldn’t gain entry to your house if they just found the key. They’d also have to know where you lived.
A virtual example is the Battle.net mobile authenticator put out by Blizzard Entertainment, or the security key card used by PayPal and eBay. The authenticator / card is something you have, and your passphrase is something you know. Two pieces of information, two factors of security.
Google’s two-factor authentication is the most robust system that typical Web users will encounter. Not only will you use to Google Authenticator to sign into your Google account, Google forces you to set up a network of unique passwords for authorized applications, such as your mobile device, GTalk, etc. This attempts to minimize damage should any single password get compromised. However, this winds up being a very cumbersome system.
I was very excited to see that Google had rolled out two-factor authentication. Now that I’ve been using it for about two months I wanted to go over my impressions.
Start the 2-factor authentication setup process
- Go to your Google Account Settings. The first thing you need to do is sign into your existing Google account and enable two-factor authorization. As of this writing, you may find this by going to your personal account settings. Do this by clicking on your Google Accounts portrait and then clicking “Account Settings”
- Click the “Using 2-step authentication” link.
- Get started, or watch the video. Google’s method for employing multi-factor authentication is more complex and thorough than what you may be used to. I normally advocate skipping introductions and videos, but this one may be really helpful. Once you’re ready, click the blue “Start Setup” button:
- Determine how you will receive passcodes. Google generates automated passcodes for your account. Each passcode is only good for a short period of time. Just like Blizzard Entertainment’s authenticator, Google has passcode apps for your mobile devices. I have an Android OS phone and I’m not familiar with the Google Authenticator app on the iPhone or Blackberry, but it’s available for those phones as well. You may also opt to receive text messages or automated phone calls if you don’t want to install an app or if you have a feature phone.
- Configure your mobile device to receive passcodes. At least in the Android OS version, the Authenticator app allows you to scan the QR code that is generated just for your account. This makes linking the account to your phone super easy.
- Configure backup options. What happens if you lose your phone? Google forces you to set up two methods of backup. The first will be a set of ten disposable passcodes you can either print out or download to a file for storage elsewhere. You can request more if you need to, but I’d recommend just using the Authenticator app.
- Set up backup phone. My only phone is mobile device, so I think making this step required is dumb. However, if you still have a landline, or if you want to use a buddy’s phone as a backup device, you can enter a secondary phone number here. Otherwise you’re going to be stuck like me. Just type in a number; you can’t proceed otherwise.
- Break your stuff (probably). Chances are you’ll need to authorize third-party applications. The idea behind this is good — Google wants you to use different passwords for different services. Many people use the same password for many sites, and if one of those sites gets compromised then someone may have your password to lots of other sites, too.
It’s entirely possible that you only use Google’s Web-based services like Gmail, Google Calendar, and Google+. If so, congrats, you’re done! Skip this step and the next. Otherwise, get ready for the most complex, confusing, and possibly frustrating multi-factor security system available to average Web users.
- Sign back in with your 2-factor authentication.
This part is super easy, and fun You can choose to set a cookie in your browser so you’re not prompted for a code every time you access a Google service. If you’re on a “high risk” computer such as a laptop or a public terminal you may want to leave this option unchecked.
This is what the Android Google Authenticator app looks like:
- Authorize third-party applications. You will need to set up unique passwords for each external service that is tied to your Google account. In my case, that’s Gmail for my personal email and my Gibberish email on my mobile phone, Google Talk on my laptop and at home, and bookmark sync via Chrome on my laptop, home, and primary HTPC. Google automatically handles authorization for Web sites and Chrome extensions you may use, such as Google Analytics, Facebook, SurveyMonkey, or the goo.gl Chrome extension.
Some advice about external service passwords
This part sucks. You don’t get to choose what the passwords are — Google generates them automatically for you. They are sixteen alphanumeric characters long. You never, ever get to see them again. I screwed up the first time I set external app authentication up because I generated a few before realizing I couldn’t review them. These codes are also a pain in the ass to type into a mobile device.
One-off passwords are a major pain in the ass if something changes. For example, I reinstalled Windows 7 on my personal laptop when I started doing more freelance stuff. I had to de-authorize four services and re-authorize new versions on my laptop. I also managed to screw up my bookmarks synchronization by losing a “master password” I never remembered setting up, so syncing up different Chrome installations is a pain in the ass now. Two days later I build a new personal computer at home and had to repeat the process. The Intel Rapid Storage Technology SSD I use was corrupted about a week ago, so I wound up having to generate a few more passcodes again.
Even though Google suggests you don’t have to remember the passwords, I started saving all of mine to my KeePass password store. I no longer have to generate new passwords if something weird happens or if I have to rebuild a machine.
That’s what’s involved in setting up Google’s multi-factor authentication. It’s probably the most robust, secure authentication system a typical Web user will run into, but that means it’s also the most confusing and complicated.
Should I use Google’s two-factor authentication?
That is an interesting question, and as with most interesting questions the answer is: “it depends.” If you have an Android OS phone like I do and are heavily invested in Google products like I am, then the two-factor auth scheme seems like a great thing to do. I’ve been a Gmail user for over seven years. Protecting that long relationship seems like the right thing.
However, if you use some other service for email and use a PalmOS device … perhaps it isn’t worth it to you. The setup process alone makes me nervous about telling my mom to turn this on, and I feel like I’m just setting myself up for some additional tech support. If you cringe thinking about this phrase: “I CAN’T SIGN INTO SHIT, WHAT’S MY PASSWORD?” then you should keep Google’s scheme to yourself.
For the average person with the average level of Web technology familiarity I would suggest not setting up Google’s two-factor authentication. I think using an automated password generator like KeePass and/or using passphrases instead of passwords is a more consistent, practical method of operation.
Let me know if any of you are using Google’s two-factor authentication, and how it’s working out for you.