I'm really frustrated with Google and this 2-factor authentication. They are in such a great position to really change the way in which people secure themselves and they've completely missed the trick [edit: FOR THE AVERAGE USER].
Google 2-step auth is very hard to use and for how hard it is to use it doesn't provide all that much protection. It protects against phishing (mostly) but not against someone who has your phone. Malicious ex-girlfriend trying to do you harm? Google 2-factor won't help you a bit as long as at some point she had access to your phone.
Any security improvement is better than no improvement so let's concentrate on the real issue which is ease of use.
1. Google 2-factor auth requires application specific passwords are deeply confusing
I founded Clickpass and I can only just get my head around this. One password per application? This is a very confusing concept and very difficult for the average person to understand. There's no indication of whether you can reasonably create one password and reuse it in all your apps (which I think you can).
Application specific passwords are very confusing and not that much more secure than one revokable password for all applications.
2. Application specific passwords are almost impossible to use on mobile apps
Ever tried copying a 12-digit long string into a keyboard which only shows you the last letter you entered and even then only for half a second? It's really hard. You can't copy and paste them and you have to have a computer nearby to do it (it's very hard to use the Google password-generator page on mobile)
Here is the list of the application-specific passwords that have to be individually entered (10+ characters each):
On my mobile
- iphone mail
- iPhone Google account (through browser)
- iphone work mail
- iPhone (work Google account through browser)
- iphone calendar
- iPhone calendar (work)
DUPLICATE ALL OF THE ABOVE FOR iPad
DUPLICATE ALL OF THE ABOVE FOR MacBook Air
Switch on 2-factor auth and you immeidately find all these apps go dead until you do this. It will take you about 15m at least to do this and you'll have to do it again if you change your password or get a new device. You can't copy and paste because the Google auth-token page is unusable on moble.
What we need is easy, incremental security improvement
The problem with Google 2-factor auth is that it was designed by security geeks. It takes 3m just to watch their setup video! The system needs to be designed by usability geeks and audited by security geeks.
2-factor auth is no use at all if it's switched off. Contrast my switched off 2-factor auth with my Facebook auth which texts me every time someone logs in from a new machine and you contrast a system which provides me with a bit more security (FB) and one which pertains to be secure (Google) but which adds nothing.
Google needs to rip the security guys out of their security team and put the user experience people in. End-user security is a UX problem and Google is in a powerful position to effect change.
[Edited above for (a little) brevity]
EDIT BELOW: for folks who feel this account is unfair:
I realise that if you keep a PGP encrypted file on another device that is necessary to do your password reset then yes, Google 2-factor auth is very strong indeed.
I also realise that you shouldn't tell someone your password. The point is though that resetting your password is something that only really needs your phone. The key elements to resetting your password usually involve sending a password or an out-of-channel token to another acccount. For most people that other account is their work mail or Facebook, both of which are usually accessible via their phone.
I'm not talking about the absolute strength of Google 2-factor authentication. I'm talking about how that type of process applies to the type of internet user who tries to log into Facebook through ReadWriteWeb:
They don't need to know it. To reset your Google password you need your backup email account (Facebook / Work email ) or your telephone number or text. All of these are almost invariably accessible without further authentication via your phone. The protection that 2-factor authentication adds doesn't apply in the event that someone has the second factor. We're talking about the incremental improvement rather than the protection granted by your password.
Yeah, I'm sorry...I understand the parent post's rants, but to even bring up this scenario is absurd. If your nemesis knows your password, then you've royally screwed up, nevermind the problem with her having your phone.
Also, does the parent-commenter mistakenly believe that the authenticator code is all that's needed to log into an account? But maybe that underscores his point that the whole system may be overwhelming to the average user.
>Google 2-step auth is way too hard to use and for how hard it is to use it doesn't provide all that much protection. It protects against phishing (mostly) but not against someone who has your phone. Malicious ex-girlfriend trying to do you harm? Google 2-factor won't help you a bit as long as at some point she had access to your phone.
Can we not upvote bullshit? He's vocally ignorant. The one time key generator is useless without the password. For his situation to be an issue he must have already have given her the password.
I don't think promoting security advice from someone who gives out his plaintext password is the least bit responsible.
> A reset link that gets sent to a secondary account that my phone doesn't have access to with a
> unique password stored in a PGP encrypted file with a nice long passphrase only known to me.
> My security question has a gibberish answer.
How do you think the average person resets their password? I'm not talking about 2-factor auth as it applies to someone who keeps a PGP encrypted file on their machine I'm talking about it as it applies to the type of person who complains they can't log into Facebook through this page:
Next time you ask a question don't act like the answer doesn't count just because it doesn't fit your stupid narrative. If you wanted to talk about how you think average people are too stupid to use 2-factor auth then just say it.
Your post is buried and won't harm others. Move on.
A reset link that gets sent to a secondary account that my phone doesn't have access to with a unique password stored in a PGP encrypted file with a nice long passphrase only known to me.
> 2. Application specific passwords are impossible to use on mobile apps
I completely agree that the overall UX needs serious improvement but … doesn't your mobile device support copy and paste? I do this from time to time and while it's a bit clunky it's a lot easier than typing the password in by hand.
I feel your pain, slightly, but isn't the majority of this list caused by the fact that Apple's software stinks? There's no way for apps on iOS to share the account details. You don't need to do any of that junk on Android. And you wouldn't have to do any of it on a Chromebook, either.
You don't have to do it on ios either (assuming your using the built-in mail/calendar/contacts). Ignoring that that OP was setting up multiple unique gmail logins (personal and work), the scenario he outlines requires entering exactly 1 app specific password per gmail account in the "mail, calendar and contacts". I have no idea why he's talking about using them in the browser, normal 2FA works fine there.
Google 2-step auth is very hard to use and for how hard it is to use it doesn't provide all that much protection. It protects against phishing (mostly) but not against someone who has your phone. Malicious ex-girlfriend trying to do you harm? Google 2-factor won't help you a bit as long as at some point she had access to your phone.
Any security improvement is better than no improvement so let's concentrate on the real issue which is ease of use.
1. Google 2-factor auth requires application specific passwords are deeply confusing
I founded Clickpass and I can only just get my head around this. One password per application? This is a very confusing concept and very difficult for the average person to understand. There's no indication of whether you can reasonably create one password and reuse it in all your apps (which I think you can).
Application specific passwords are very confusing and not that much more secure than one revokable password for all applications.
2. Application specific passwords are almost impossible to use on mobile apps
Ever tried copying a 12-digit long string into a keyboard which only shows you the last letter you entered and even then only for half a second? It's really hard. You can't copy and paste them and you have to have a computer nearby to do it (it's very hard to use the Google password-generator page on mobile)
Here is the list of the application-specific passwords that have to be individually entered (10+ characters each):
On my mobile
- iphone mail
- iPhone Google account (through browser)
- iphone work mail
- iPhone (work Google account through browser)
- iphone calendar
- iPhone calendar (work)
DUPLICATE ALL OF THE ABOVE FOR iPad
DUPLICATE ALL OF THE ABOVE FOR MacBook Air
Switch on 2-factor auth and you immeidately find all these apps go dead until you do this. It will take you about 15m at least to do this and you'll have to do it again if you change your password or get a new device. You can't copy and paste because the Google auth-token page is unusable on moble.
What we need is easy, incremental security improvement
The problem with Google 2-factor auth is that it was designed by security geeks. It takes 3m just to watch their setup video! The system needs to be designed by usability geeks and audited by security geeks.
2-factor auth is no use at all if it's switched off. Contrast my switched off 2-factor auth with my Facebook auth which texts me every time someone logs in from a new machine and you contrast a system which provides me with a bit more security (FB) and one which pertains to be secure (Google) but which adds nothing.
Google needs to rip the security guys out of their security team and put the user experience people in. End-user security is a UX problem and Google is in a powerful position to effect change.
[Edited above for (a little) brevity]
EDIT BELOW: for folks who feel this account is unfair:
I realise that if you keep a PGP encrypted file on another device that is necessary to do your password reset then yes, Google 2-factor auth is very strong indeed.
I also realise that you shouldn't tell someone your password. The point is though that resetting your password is something that only really needs your phone. The key elements to resetting your password usually involve sending a password or an out-of-channel token to another acccount. For most people that other account is their work mail or Facebook, both of which are usually accessible via their phone.
I'm not talking about the absolute strength of Google 2-factor authentication. I'm talking about how that type of process applies to the type of internet user who tries to log into Facebook through ReadWriteWeb:
http://www.readwriteweb.com/archives/facebook_wants_to_be_yo...