OK, so I turn on two-factor authentication for GMail, but...
1) I immediately have to create a application specific password to actually read my mail on my iPhone.
2) If anyone ever gets access to that secret password, or any of the others I create, they have full access to my email and any password resets they generate.
3) I will have no idea this is happening since I would expect my mail to access that app password daily.
So your fancy two factor authentication still ends up resting on one piece of secret info as the weak point. Am I missing something?
> So your fancy two factor authentication still ends up resting on one piece of secret info as the weak point. Am I missing something?
Yes: that email password cannot be used to change your password, cancel your account, etc. and can be revoked easily without breaking anything else. This also means that you're not entering the password which can do all of those things on a daily basis, further reducing the odds of someone else being able to capture it even if they do manage the total local compromise or strong SSL MITM needed to get your ASP.
Security is all about incremental improvements, not silver bullets.
>This also means that you're not entering the password which can do all of those things on a daily basis,
Before two-factor, were you really typing in your GMail password on a daily basis?
I mean, I certainly don't deny that two-factor is much safer if you can actually use it, like on the GMail site. I just worry about the big holes that application passwords punch in that wall. All it takes is one application sending your password in non-SSL when you are connected to an insecure wi-ifi, and you are hosed. Is every Google login for every service SSL only?
Exactly. Let me know if you find an answer to this.
I have a policy where I will only add a generated application-specific password to really trusted applications (internal OS apps mail, calendar etc), and have gone as far as to sniff all traffic for each of these apps.
You only type that application specific password once. You're not typing it to log in via wifi at coffee shops, airports, etc. You're not typing it every day for a keylogger to pick up, should your machine be compromised in the future. You're not typing it into borrowed machines or net cafe machines in some hotel business center.
So, no, it isn't perfect, but it's a heck of an improvement. That is, if you believe your machine to be reasonably secure on day 1.
Calling it an "application specific password" is actually a misnomer. WE create the app-labels. For all practical purposes it's a backdoor entry into your account.
So, I'd say for absolute 2FA, you must give up Chrome browser profiles, device mail sync (till Google comes up with a compatible client) and Google Talk/any Jabber client. I don't care about Chrome browser profiles but I need/want my Android phone to have full connectivity viz. push mail and gtalk access to my account. I could always keep a separate browser window on the PC with my gmail signed in and IM notifications enabled for my third point.
Overall, I feel losing my Android connectivity is not worth the 2FA.
1) I immediately have to create a application specific password to actually read my mail on my iPhone.
2) If anyone ever gets access to that secret password, or any of the others I create, they have full access to my email and any password resets they generate.
3) I will have no idea this is happening since I would expect my mail to access that app password daily.
So your fancy two factor authentication still ends up resting on one piece of secret info as the weak point. Am I missing something?