Field Notes: Google Two-Factor Authentication

the Google Apps Logo

the Google Apps LogoThere’s been a lot of discussion recently about GMail’s two-factor authentication thanks to the Matt Honan hack publicity. I’ve been using it awhile and figured I’d share my thoughts and experiences. I had been using it for an account that I just used for email so it wasn’t much of a hassle. But I recently added it to a second Google account and it’s been more of a hassle. It’s probably needed more on this account, since it’s used for more than just email so I’ve kept it enabled. In the case of Google the two-factors are a password (something I know) and something I have (my phone).

Here are my notes from using Google’s Two Factor Authentication. For the record, I used my own domain with Google Apps accounts in both cases.

There’s plenty of backup available should I lose or break the phone with the authenticator app:

  • I have the Google App on my iPhone so I don’t need a cellular connection to get the code.
  • As backup I have another phone set up to get the code via SMS.
  • As another backup there’s also printable one-time backup codes. The assumption is that Google can keep these codes secure.

If an app or device doesn’t recognize Google Two-Factor authentication there are Application Specific passwords:

  • “Application Specific” is more a description of the intent, rather than a technical requirement.
  • The Application Specific passwords can be used on multiple devices and applications. I’d prefer they be locked to the first app or device they’re used on.
  • If you use the password in a malicious or poorly written app the password can be used my someone else to access your email. So common sense still needs to be used when using the application passwords.
  • While 16 characters is a long password it’s not as complex as it could be, All passwords are 16 characters and there seems to be a limited character set. While this could be more secure, it would still be extremely hard to crack and isn’t a reason not to use them.
  • The application specific passwords only provide limited access to the account, even if compromised, such as accessing email.
  • Application specific passwords are easy to revoke so they can be used to try out a new app and then revoked if the app isn’t used.
  • I’ve had some issues where my iPhone email (for example) decides it needs a new app password and I have to re-enter it. This is a pain as I have to go to the website and generate a new one then type it into the iPhone.
  • While I can see the last time the application password was used, I can’t tell where it is used, so if the password is taken I wouldn’t notice, unless I stopped using it.

Misc Notes:

  • The initial setup is a bit of a pain. When two-factor authentication is turned on all the existing logons will break and have to be redone.
  • PCs can be made “trusted” and then for the next 30 days it won’t be necessary to enter the code when logging on.
  • If Google Sync is used (in Google Chrome) it’s necessary to use a encryption passphrase specific to Google Sync, the account password can’t be used since an application specific password is required. Well actually, an app specific password can be used, but it would have to be remembered and used as the app password for all Google Chrome logons, which goes against the design of the application passwords.

Anyone else using Google two-factor authentication? What’s been your experience?