Google's two-factor authentication: nice idea, but unwieldy

Google's two-factor authentication: nice idea, but unwieldy

Summary: Google's new two-factor authentication scheme is a huge improvement in terms of account security in the public Cloud. But I can't use it for regular day to day use.

TOPICS: Security, Google

Google's new two-factor authentication scheme is a huge improvement in terms of account security in the public Cloud. But I can't use it for regular day to day use.

Sometimes, with technology, you need to be careful what you wish for.

A couple of days ago I kvetched about needing something better than straight password authentication for sites like Google and FaceBook. I suggested that perhaps we might need to look at biometrics, but I realize that getting that type of thing standardized and deployed into actual products might take several years.

There is another type of authentication mechanism, which is extremely effective at keeping out the bad guys from your applications and accounts and that has been around for quite some time -- it's called two-factor token-based authentication using one-time passwords.

Unlike various kinds of biometrics, this type of system doesn't require new hardware on your PC or smartphone to employ, and has been in use for well over a decade, particularly in the financial industry.

RSA Data Security for example has made a nice business out of this with their SecurID product line, which is deployed as a credit-card sized device or a special keychain "token" issued to each user that displays a new verification code every sixty seconds.

That verification code, when used in combination with the account password, uniquely identifies the user. If you l don't have that authenticator token, you don't get in.

Verisign, now a division of Symantec, has a cloud-based service that allows you to use your existing smartphone instead of a separate hardware gadget as the "token".

What Google has done is pretty similar. Instead of a keychain or a credit-card, it allows you to store an authentication token on your cell phone, be it an Android or iOS device, and have it display the passcode to you in a mobile application. Alternatively, if you don't have a smartphone, Google can SMS your cellphone an authentication code each time you need to sign in.

Also Read: Your online deadbolt: Google opens 2-step verification to all users

You can have this set to re-authenticate you each time you log in via the web, or every 30 days.

Now, all of this works pretty well, provided you are just using GMail and Google Apps over the web. It will lock your Google account down like Fort Knox. The phishers and the bad guys won't have a rat's ass chance in hell of breaking into your account.

The problem is, if you use your Google account for anything other than GMail and Google Apps on a browser, it gets a bit more complicated.

In my case, the minute I turned on the two-factor authentication, I broke every single app that I use that authenticates with Google: GMail and all Google services running on my Android phone(s), Mail on my iPad, and my Instant Messenger clients running on my various PCs/VMs and iPad.

It also broke all the web sites which I use that have to cross-site authenticate using my Google account, of which there were about a dozen, including FaceBook and Quora.

This can be fixed, but it's tricky. You have to log into your Google Account settings and issue special passwords for each service and application that talks to Google. I got it working for my Android phone, and for the IM client running on my PC. However, as soon as I realized how many of these I would have to issue to every service and web site that I use that signs in with my Google ID, I said NO MAS!

Now, I'm not saying that there aren't a whole bunch of people that would find Google's 2-factor authentication useful. Not everyone is as gadget and connectivity-crazy as I am. But just about everyone I know has access to at least 1 PC and 1 mobile phone, and uses at least 1 or 2 social networking services, so this could be daunting for most people to deal with.

Where I see Google 2-factor authentication coming into play at least for now is secondary Google accounts that could be used to store critical information, such as financial data, confidential information, et cetera. With these, you'd log in strictly via the web or one or two selected devices running mobile apps, and you wouldn't cross-site authenticate with it.

For that sort of use, I think Google's 2-factor option is great. But for my own day to day use -- at least until they figure out how to make this work better in the complex app/site mix that I swim in, I'm going to pass.

Are you planning to use Google's 2-factor authentication? Talk Back and Let Me Know.

Topics: Security, Google


Jason Perlow, Sr. Technology Editor at ZDNet, is a technologist with over two decades of experience integrating large heterogeneous multi-vendor computing environments in Fortune 500 companies. Jason is currently a Partner Technology Strategist with Microsoft Corp. His expressed views do not necessarily represent those of his employer.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • So what you really want...

    is more security, but you don't want to be bothered with having to do anything extra to gain that security. The magical security fairies should fly by and sprinkle security pixie dust over the internet. Either that or every phone, computer and device that can connect to the internet should be equipped with biometrics scanners...maybe we could get the government to make it illegal to surf the net on a device without biometric authentication. If you find yourself in that whining mode, step back and say "Hey, I'm sorry. I was full of crap. I don't really want better security options, I just wanted something to complain about." Or you could just say "Hey, I'm a ZDNet blogger." Same thing...

    Seriously, if you want better security (you seem to be claiming that you do), then don't cry like a six year old girl with a skinned knee for having to actually DO something to get it.
    • Curiouser and curiouser....

      My last two sentences somehow got bumped up to the last two sentences in the first paragraph.
    • RE: Google's two-factor authentication: nice idea, but unwieldy

      @jasonp@... No need to be rude eh!
    • RE: Google's two-factor authentication: nice idea, but unwieldy

      @jasonp there are other forms of 2-factor security. And I didn't say this solution would never work, but it needs to be made easier to use for the average person.
      • The other forms...

        for the most part require an up-front cost. So the alternative right now seems to be force everyone into spending money or force them into spending a little of their time setting things up. If there's a third alternative, by all means share.
      • I do wish...

        @jperlow'd get away from the love of biometrics. It's a dangerously stupid idea. A lot of people have listed the reasons why, but you persist.
      • RE: Google's two-factor authentication: nice idea, but unwieldy

        @wolf_z "A lot of people have listed the reasons why, but you persist."

        It's called having an opinion. This is an opinion blog. I'm entitled to mine and so are our readers who participate on here, including yourself.

        There are as many advocates for the technology then there are against. And I have a huge a amount of research and testimonials from government and financial industry clients that I can point to which prove that biometrics is effective when employed correctly.
      • RE: Google's two-factor authentication: nice idea, but unwieldy

        The point is that security is a pain. If it was easy for the user then it's easy for hackers and all. I think in this case you can't have your cake and eat it too. How 'bout creating 2 gmail accounts. One for your social sites to openid or oauth and the other for your "important" things. The "important" one uses two-factor authentication. Oops. That's two much work for the lazy user.
    • Hysterical?

      @jasonp@... reading your post twists the original issue so badly over the top that it borders on stupidity.
      Take care.
    • Yes, that really is what most people want.

      @jasonp@... ...for those of us who are techno geeks this might be great. But for the vast majority of people, if you make security too hard, they will not use it. I have seen this over and over and over again. When the level of effort reaches a certain point you can't get them to use it.

      Its one thing at the office where I can mandate policies. But for home users this just isn't going to work.
  • I think 2-factor is a great option and yes, I'll be using it.

    No reason not to.
    A minor inconvenience goes a LONG way toward eliminating man-in-the-middle attacks and scripting hacks.

    No more! We have alot to learn and Europe is way ahead on this count. Been doing it for years.

    So, Jason let's get PhoneFactor on ZDNET and you'll have not only eliminated the 'rif raf' but immediately see a net improvement in the general behavior in the TalkBacks.


    It's easy to implement Jason. OK, get going.
    Dietrich T. Schmitz, ~ Your Linux Advocate
    • RE: Google's two-factor authentication: nice idea, but unwieldy

      @Dietrich T. Schmitz, Your Linux Advocate The day of reckoning on Talkbacks is coming, Dietrich. Soon. :)
      • I hope so . . .


        I stopped commenting for the most part because of the nonsense . . .
    • Why would you use this?

      @Dietrich T. Schmitz, Your Linux Advocate

      Linux is invincible. Since you don't use Windows there isn't reason for you to use anything more than a 4 digit numeric password right?
    • RE: Google's two-factor authentication: nice idea, but unwieldy

      @Dietrich T. Schmitz, Your Linux Advocate

      So you're going to be paying for all the minutes this uses on my phone, right? No? Then zip it.

      LastPass has MFA which works *and* is functionally free: printable grids.
  • Remember we discussed this concept possibility recently, Jason.

    Reading your whole article, I've come to the conclusion that the "Hollywood" option might be best left to "Hollywood".

    Than again, it does protect G-Mail accounts and that's a very big plus.
    • RE: Google's two-factor authentication: nice idea, but unwieldy

      @kenosha7777 There are other mechanisms for doing 2-way besides Biometrics or by using one-time numerics. I was told about this one today, which looks pretty interesting:

      No other devices to use except your own brain.
      • RE: Google's two-factor authentication: nice idea, but unwieldy

        @jperlow That is so clever, simple and straight forward from a user stand point. There must be a huge flaw in their reasoning!
      • RE: Google's two-factor authentication: nice idea, but unwieldy

        That "image-based authentication" security password protocol outlined via your link was pretty impressive. I wonder how many attempts it would allow before the system locked out that user?

        I think a hacker could just "take a guess" and try to get lucky if he knew something about the system and how many image associations might be required to gain access. If that hacker had a list of system ID names, he might be able to use "brute force" techniques to gain access to a few of those accounts.

        I don't know .. I like the image based security idea but it still could be hacked.
      • RE: Google's two-factor authentication: nice idea, but unwieldy

        @jperlow That image-based system solves the problem of making the password more secure, but it isn't quite the same level as the two-factor authentication method. In theory, even if I GAVE someone my password, they couldn't login without also having physical access to my cell phone.

        With the image based authentication, as soon as I gave someone my three categories, they'd be able to get in every time.

        I'm not saying the idea is to tell people what your password is or to give people your categories, but the point is... one is simply more secure, as it requires physical access to my cell phone.