Background
Anytime we get real data on Internet user passwords, we once again discover people are bad with passwords. Additionally as the tools to compromise and crack passwords get better, even high quality passwords are becoming less secure. Two factor authentication is something that should be used – when available and if you have an authenticated website / webapp, there is a cheap and easy method to implement.
In an earlier post, I showed that some online services were more critical than others from a security perspective – specifically the email account used for account recovery for other services. In many cases, this is Google Gmail and in this post I will be using it as an example.
One Time Passwords and Google Authenticator
Google Authenticator is a relatively simple app written by Google that generates time windowed One Time Passwords (OTP) every 30 seconds. This app is available for Blackberry, iOS and Android devices, and can be used for Google account access as a Two Factor Authenticator (2FA). More importantly, it can be used by any non-Google website or application developer. Let me back up a minute, and explain why this is a good thing.
An Authenticator is something you use to authenticate – or prove who you are to a system. A password is an authenticator, but not a very good one by itself (anymore). Authenticators can be based on:
- Something you know : Password, PIN code
- Something you possess : Smart Card/Fob, SecurID, device with Google Authenticator
- Something you are (biometrics) : Fingerprints, Retina scan, etc.
The idea behind Two Factor Authentication is that even if one the factors is weak, the combination of two factors is much stronger than either one of the authenticators individually. Most importantly – it is very easy to share passwords, but very hard to share both parts of a Two Factor Authentication. In the very recent past, 2FA was not very accessible since passwords are cheap to use / implement, and none of the other authenticator options were.
Here is where Google Authenticator comes in. Google Authenticator provides a well known (RFC6238) method to generate six digit authenticator tokens based on the current time and a shared secret key. The app can also support multiple concurrent authentication generators. The app does not depend on Google services – and up until a certain point, it was open sourced. Open source equivalents to Authenticator are available. Details on the alternatives and how Authenticator functions is in the associated Wikipedia article.
Enabling on Google Account – How it Works
To setup 2FA on your Google account, do the following:
- Install Google Authenticator on your Smart Device (phone / tablet / etc)
- Login to your Google Account
- Go to Account Settings / Security / 2-Step Verification and select ‘edit’
- Enter the information including the phone number and printing out the 10 emergency codes. Safety nets are what prevent Self Inflicted Denial of Service Attacks (SIDoSA).
- Follow the instructions to load the shared secret into the app AND verify it.
- That’s it – you are setup.
After that, you will be asked to enter username / password followed by a request for the six digit authenticator from your smart device. Since I don’t store cookies, I need to do this each time I login – but after a few days it becomes an easy habit. I also have the knowledge that my account is fairly secure – even if my password looks like “Fluffy-Bunnies” instead of something like ‘H@Af5%Zwqhkh*6iJ8’.
Potential Risks with using Google Authenticator
There are no risk free solutions to real problems, and Google Authenticator also has its risks. We can look at a couple of scenarios to see what some of those may be:
- When used on Google Account:
- Q: If my Google Authenticator device is lost or stolen and it happens to be the phone listed as my recovery, could somebody use that to access my Google account?
- A: Only if: your phone is not locked (it should be), and they also have your password – since they need both factors to get in. Low Risk (and yes you should put a lock on your phone).
- Steps: If this actually did happen the first actions you should take is to use one of your 10 recovery codes to login to your google account, disable 2FA, disable that device password (if you use device passwords) and change your primary password – taking your lost / stolen authenticator out of the loop and disabling access of any form from that device.
- When used on some Non-Google website /application:
- Q: Since the secret key for this non-Google website / application is entered into Google Authenticator, does Google now have access to my account on this non-Google website / application.
- A: Not very likely. It is possible that they are backdooring all of these secret keys, but since:
- There is no direct association between a secret key and a given website / application, there is no direct way for Google to know where this key should be used; and
- It is only one half of a two factor authentication, since they are missing the password authenticator (and the username).
Bottom Line
Passwords alone are about a decade past being effective and rapidly approaching useless. Google Authenticator provides an effective authenticator generator for Google accounts that can also be used on just about anything (there is a PAM plugin available). and when paired with a password provides a much better degree of security.
Recommendations
Use it for Google accounts and any other website that offers it as an option. Use it for your enterprise login.
For the Maker community – Use it for your PIN pad on your house/garage door. Use it for access to your home automation webserver. A rolling Google Authenticator can be duplicated on multiple devices easily to allow family wide access, but cannot be shared with others (something to be said for that).
Use it everywhere you can imagine – and if you can use it with a password, you have 2FA and all of the goodness that comes with that.