Google 2-step authentication

Posted on 2011/10/16


Google has recently implemented two-factor authentication for user accounts. After reading its description and watching the explanatory video (here is the guide) I activated this option as soon as I could. It really is as user-friendly as it gets, for the security it gives.

Since I own an Android phone I also activated the ability to use Google Authenticator, which adds a security token functionality to your smartphone. To setup the Authenticator you need to access Google on your PC, then activate the “Android” option for verification codes; the browser shows a QR code that can be scanned by Authenticator (with the help of a QR-scanning app such as QR Droid) and the Authenticator will show a code that can be used for a bunch of seconds. The QR code exchange is only done once: I assume it sets up a “seed” for the generation of random codes, which is known only by Google and your phone.

For other applications that access Google it is possible to generate specific passwords which can be revoked at any time, and Google can give you information about when the password was last used, to check if someone stole it.

There are also ten one-time-only verification codes that can be used when you don’t have your phone available.

I don’t know how this new authentication plays with the password recovery options, which are:

  • Recovery through secondary e-mail address
  • Recovery through SMS
  • Recovery through personal security question

I suspect that these recovery options are able to give you a new password, but if you have 2-step authentication enabled then you will still need to have some sort of verification code.

I only see a potential problem about password recovery through SMS that can lead to a “shortcut” if someone steals your phone: in that case the thief will have both a way to recover your password and a way to get a verification code. For this reason I suggest keeping separate:

  1. The phone for SMS password recovery
  2. The phone for Android verification code
  3. The phone for SMS verification code

That said, everything fails if your security question is “What is my favorite food? (hint: TMNT)” and the answer is “pizza”. I hope this isn’t news to you.

Posted in: Security