Two-Factor Auth: Can we just Google the response?

Published: 2011-02-11
Last Updated: 2011-02-11 05:43:56 UTC
by Kevin Johnson (Version: 1)
23 comment(s)

Google announced earlier that they are now offering two-factor authentication to all of their users.  More information is available at the Google Blog.  This is an extension to the service offered to their Apps customers last month.  While normally I would think that “advertising” a service wouldn’t fit in this diary, this is a little more then the regular new feature.  In mind opinion, it’s a big change in how people think about two-factor authentication.

 

We have known for years that passwords are one of the weakest points in our security controls.  Users pick weak ones or share them with anyone who asks nicely.  Even security consulting firms will fall for simple social engineering attacks and reveal them.  One answer that has been proposed often, but is shot down almost as often.  Clients often tell me that the cost is to high to roll out a solution, which I have always felt was the wrong answer.  Of course, I am the paranoid security nerd.  When this happens, I propose one of two solutions that try to help lower the cost.

 

The first is where the site or organization passes on the cost to the user.  Blizzard does this for their Battle.net accounts.  If the user feels that they should use two-factor authentication, they can either pay for a fob (the token generator) or install a smart-phone application.  Of course I always laugh that my virtual gold in my World of Warcraft account is safer then my real “gold” in my bank account. 

 

The second route is the one Google has chosen.  When a user activates the system, their log on process has an extra step.  After entering their password, they receive a phone call or an SMS that has the token.  They enter this into the form and if it’s correct, they gain access to their account.  This lowers the cost of deployment because it removes the needs for a fob to be sent to every user.

 

So the questions are pretty simple.  First, how do you think two-factor authentication should be implemented and how do you deal with the cost?  Second, alliance or horde? ;-)

 

Kevin Johnson

Secure Ideas

Keywords: Google twofactor WoW
23 comment(s)

Comments

In the org where I work all remote access requires 2 factor auth because of a simple business case: Can we afford not to? Luckily in my org's industry it was an easy answer, no. But I think highlighting cases like WoW, and Google will hopefully start to add weight to arguments for this and the costs seems to be going down as well.

And, Alliance :)
Sorry but i thought 2 factor meant something you know + something you have. What is the something you have in this solution ? This is not 2 factor authentication as the virtual "something you have" is owned by google and not you !
as the images show in this article:
http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

As you can see on the second image: You are able to "stay signed in" AND to remember verification Code (ie 2nd factor) for a period of 30 days.
I did not test that but I think it looks like as it is ... you can bypass google's 2nd factor security just a click away.
DJ-O,
The somehting you have in this situation is your cell phone.
Michael: I agree that the stay signed in is a problem. I would have hoped that Google would remove that "feature" if 2FA was requested.

Kevin
The day blizz offered the token for order is the day I happily sent them US$ 5.99. (And no, I don't pay for the vanity pets...)

With "features" like the iPhone/iOS encryption key harvesting bug discussed yesterday on slashdot, is there a viable alternative to hard tokens?

Oh and FOR THE HORDE!!!!!
AT:

I agree that the $5.99 was a easy cost to send in. (I have to admit to buying one vanity pet. The one that they donated the cost was way to fun to pass up!)

While I agree that a cell phone is not the most secure system in the world, I don't feel that the risks you and others have mentioned make it unviable as an alternative.

Kevin
Kevin:

Great post. I believe that with so many people that have both a Gmail account and a smart phone, it makes a whole lot of sense to leverage both to implement a two-factor authentication system.

The decision by Google to make this available to its users should be seen as a conversation starter. Your comment about your non-real gold being more secure than your real gold hits home.

I say give it a try and look for opportunities to invite our non-security nerd friends into the conversation. Their gold needs securing, for sure.

Russell
My concern is that the phone is going to become the new password, then again, you could end up with as many tokens as passwords on your key chain. Pick your poison.
"The first is where the site or organization passes on the cost to the user. (...) The second route is the one Google has chosen."

This is still passing the cost to the user in a sense. Text messages and phone calls are not free. Sure, I have unlimited texts and about 4,000 unused rollover minutes, but that doesn't mean I didn't pay for those things. May people still drop 10-20 cents per text message. At that rate, a mere 30-60 logins will run up a bill equal to that of Blizzard's FOB.

It's a good idea, and I applaud Google for their efforts (and the fact that they offer this enhanced security system), but it's still not a perfect solution.

Diary Archives