Living With Google Two-Factor Authentication

Posted on 2014-09-24 by mike

If you have not already heard, Google allows two-factor authentication (“Google 2FA”) for access to their services – which includes our own Google domains. This adds greater security to accounts by requiring what is in effect a second password that is sometimes required – for instance if someone attempts to use your account from a computer that has not been previously used.

The initial landing page for it is: https://www.google.com/landing/2step/. Having listened to the discussions regarding Google 2FA and having lived with it for some time (with multiple Google accounts), I can say that it’s possible to see reactions to it splitting into three categories :-

  1. It’s such a pain to use that nobody will ever voluntarily turn it on and if they do, they will quickly turn it off again. Not really; whilst it can take a bit of getting used to there are any number of perfectly normal people who have opted for Google 2FA (frequently after their account has been hacked) who have managed to live with it perfectly reasonably.
  2. It’s wonderful, not a nuisance at all and there’s no reason why everyone shouldn’t turn it on immediately. Not really; it can indeed be a bit of a pain – it always seems to ask for the additional authentication factor at the most inconvenient moments – and there are cases why you should be careful about turning it on. It is possible that the most enthusiastic supporters of Google 2FA have had it turned on for some time and the initial pain of adoption has faded with time.
  3. It’s a bit of a pain but a lot better than the alternative. The alternative being that someone breaks into your account and starts using it for something nefarious. Apart from the amount of time that it takes to clean up after something like this, your email address will take a permanent credibility hit from being used by a spammer.

Ultimately it makes a lot of sense to turn it on and once you are used to it, it doesn’t seem strange or that inconvenient any more.

How Does It Work?

In addition to your password, Google will ask for an authentication code (a 6-digit number) to let you in.

The authentication code comes from one of three places :-

  1. An authenticator application which generates codes in a known fixed sequence. This is not limited to the Google Authenticator application – there are others.
  2. A text message sent to your mobile phone.
  3. A voice message sent to your landline phone.
  4. A printout containing a list of one-time only codes.

You are not asked for the code every time you login, but when circumstances change or every 30 days.

How Easy Is It?

That depends on your exact circumstances and how many “unusual” applications you use that do not support Google 2FA. Without such applications, it’s probably something you can get set up in under 5 minutes.

If you do use such applications, you will need to generate an application-specific password for each one and configure each application to use it. It should be noted that such applications are unusual and unless you are an extreme geek, you are unlikely to use more than one or two such applications.

How Do I Go About It?

By preparing. You can just turn it on, but if you’re timing is poor and you have lots of devices that need their settings changed you could well have a poor experience.

If I were to do it again, I would prepare by :-

  1. Picking a time that is relatively quiet, and is likely to stay that way for a week (just to be cautious).
  2. Don’t pick a time just before a trip!
  3. Scribbling down a list of the devices and applications that need checking.
  4. Find out about application specific passwords before you need one.

Finally on the day in question, check your email and print off a copy of that day’s calendar before turning it on.

Even if it does go horribly wrong, it is possible to turn off Google 2FA so it is always possible to rescue a situation.

If you do decide to give it a go, the starting point is: https://www.google.com/landing/2step/

It’s Not Perfect!

Turning on Google 2FA doesn’t solve the world’s problems; it doesn’t even solve all issues in relation to authentication :-

You still need a strong password. If Google was the only service your password gave you access to, then it would be possible to follow the advice of the extreme proponents of two-factor authentication and lower the strength of your password. However Google 2FA is not supported when logging into Windows, etc. So for non-Google services your password strength is still important.

It is still possible for your account to be hacked in a number of ways :-

  1. If you leave your sheet of paper with your one-time only codes lying around and it has your account username and password written on it, people will still be able to “hack” your account.
  2. If a device containing an application specific password is broken into, then an attacker can get into your account with that application specific password. 

And perhaps worst of all, it does tend to weld your smartphone even closer to you!

This entry was posted in General, Passwords. Bookmark the permalink.