Two-Factor Auth: Can we just Google the response?
Google announced earlier that they are now offering two-factor authentication to all of their users. More information is available at the Google Blog. This is an extension to the service offered to their Apps customers last month. While normally I would think that “advertising” a service wouldn’t fit in this diary, this is a little more then the regular new feature. In mind opinion, it’s a big change in how people think about two-factor authentication.
We have known for years that passwords are one of the weakest points in our security controls. Users pick weak ones or share them with anyone who asks nicely. Even security consulting firms will fall for simple social engineering attacks and reveal them. One answer that has been proposed often, but is shot down almost as often. Clients often tell me that the cost is to high to roll out a solution, which I have always felt was the wrong answer. Of course, I am the paranoid security nerd. When this happens, I propose one of two solutions that try to help lower the cost.
The first is where the site or organization passes on the cost to the user. Blizzard does this for their Battle.net accounts. If the user feels that they should use two-factor authentication, they can either pay for a fob (the token generator) or install a smart-phone application. Of course I always laugh that my virtual gold in my World of Warcraft account is safer then my real “gold” in my bank account.
The second route is the one Google has chosen. When a user activates the system, their log on process has an extra step. After entering their password, they receive a phone call or an SMS that has the token. They enter this into the form and if it’s correct, they gain access to their account. This lowers the cost of deployment because it removes the needs for a fob to be sent to every user.
So the questions are pretty simple. First, how do you think two-factor authentication should be implemented and how do you deal with the cost? Second, alliance or horde? ;-)
Kevin Johnson
Comments
And, Alliance :)
Raymond
Feb 11th 2011
1 decade ago
DJ-O
Feb 11th 2011
1 decade ago
http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html
As you can see on the second image: You are able to "stay signed in" AND to remember verification Code (ie 2nd factor) for a period of 30 days.
I did not test that but I think it looks like as it is ... you can bypass google's 2nd factor security just a click away.
Michael
Feb 11th 2011
1 decade ago
The somehting you have in this situation is your cell phone.
WH1t3H@
Feb 11th 2011
1 decade ago
Kevin
Kevin
Feb 11th 2011
1 decade ago
With "features" like the iPhone/iOS encryption key harvesting bug discussed yesterday on slashdot, is there a viable alternative to hard tokens?
Oh and FOR THE HORDE!!!!!
arctic tundra
Feb 11th 2011
1 decade ago
I agree that the $5.99 was a easy cost to send in. (I have to admit to buying one vanity pet. The one that they donated the cost was way to fun to pass up!)
While I agree that a cell phone is not the most secure system in the world, I don't feel that the risks you and others have mentioned make it unviable as an alternative.
Kevin
Kevin
Feb 11th 2011
1 decade ago
Great post. I believe that with so many people that have both a Gmail account and a smart phone, it makes a whole lot of sense to leverage both to implement a two-factor authentication system.
The decision by Google to make this available to its users should be seen as a conversation starter. Your comment about your non-real gold being more secure than your real gold hits home.
I say give it a try and look for opportunities to invite our non-security nerd friends into the conversation. Their gold needs securing, for sure.
Russell
Russell E
Feb 11th 2011
1 decade ago
elazar
Feb 11th 2011
1 decade ago
This is still passing the cost to the user in a sense. Text messages and phone calls are not free. Sure, I have unlimited texts and about 4,000 unused rollover minutes, but that doesn't mean I didn't pay for those things. May people still drop 10-20 cents per text message. At that rate, a mere 30-60 logins will run up a bill equal to that of Blizzard's FOB.
It's a good idea, and I applaud Google for their efforts (and the fact that they offer this enhanced security system), but it's still not a perfect solution.
Pete
Feb 11th 2011
1 decade ago