Shared publicly  - 
 
After reading about a recent hack attack, I wrote this blog post to ask people to turn on two-step verification on their Google account. It's a little bit of work, but it makes you much safer.

At the bottom of my blog post, I mention questions I sometimes hear, along with the answer to each question.
You create a special “application-specific password” that your mail client can use instead of your regular password.” Doesn't it kind of defeat the purpose? An attacker can simply use this password to...
220
118
Baris Baser's profile photoTodd Larsen's profile photoMike Wolf's profile photoBridget Spitznagel's profile photo
63 comments
xxx yyy
+
5
6
5
 
the real issue here is information that one company considers secure, the other company doesn't. What we really need is all the tech companies to get together and set up some standards.

Or put more simply ... "What we have here is a failure to communicate"
 
Google could always make the two step thing mandatory?
 
I did it yesterday.. i knew it was that easy, I´d have done it earlier.
 
Love 2 step verification.  The only time I had trouble with it was when I had to switch phones and get a new barcode for my new phone (Google Authenticator) to scan.  Finally got it but it was a pain.
 
Thanks for posting this, +Matt Cutts! It's sad that it took +Mathew Honan losing all of his data from the past 8 years for everyone to start caring, but it always takes something.
 
You convinced me. I enabled it a few minutes ago after reading your post.
 
Ironically, because my office is so paranoid about security that I have to leave my phone in the car, I have no way to access my google account from work via 2 factor authentication.
 
OK, Matt, please tell me what I am doing wrong.

I used two-step very successfully with my previous HTC EVO phone. I was able to pretty seamlessly use the Chrome browser at home and at work, and access the various apps that needed specific passwords.

Then I upgraded to an EVO LTE and the first thing I had to do was turn off two-step in order to complete the setting up of my phone. (in the future, you might want to include Authenticator on phones) Afterward, I couldn't seem to get two-step to work again.

I fought my way through it this weekend by adding my LTE as a new device, and then getting the 6 digit code to be able to access it. But afterward, when I tried to use Authenticator to get a code for my work Chrome browser, it only gave me a code for my LTE phone. I had to have a verification code texted to me to get my browser working.

Do I need (in my Google account) to revoke all previous devices and apps and add them back in, one at a time?

BTW, I am a fan of two-step verification, and turned a friend on to it after her Google account got hacked. That was several days of inconvenience for her, so it's worth the hassle.
 
+Ethan Smith, can you bring in a tablet or a sheet of printed codes?  You only need to enter the code once in a while if you're using a single browser on a single computer, so even remembering just the next code on your printed sheet might work.
 
Wondering if we will get Yubikey support sometime from Google for two-step authentication. It works great with my LastPass as well as WordPress site...
 
Thanks Matt, I finally got round to it due to this.
 
There was a comment about suggesting making 2-step authentication mandatory.  Please, please don't, unless you're planning to provide physical authenticator options, as Blizzard does.  As unbelievable as it may seem to others, some of us don't have cell phones.
 
+Matt Cutts I turned on 2 step authentication, then disabled it after only a few hours.  It's impossible to use if you have applications that don't recognize it, on multiple devices.  Using the one time codes worked great, until I attempted to enable the apps on multiple devices (iPhone, iPad, Mac, PC at home, PC at work, etc).  If Google could post a tutorial on this, I would consider re-enabling 2 step authentication.  It's nearly impossible when there is no contact at Google to call for support (or email).  Thanks for posting this article though, as the recent story is concerning to say the least.
 
Also interested to know what kind of increase this causes in setting up two-step authentication, is that stat likely to be released?
 
I did it,it's been long time ago... thats more work to save your Google account...
 
tried it when it came out, totally screwed my google experience/phone ...  the process is so alienating it's incredible.  Not even all google software use it properly.  If you have multiple devices it's a nightmare.
 
I wish "Application Specific Passwords" were really specific to a single application.  Currently, I can reuse the same password in multiple spots and it will continue to work everywhere.  Each new password I generate increases the possible ways for hackers to get into my Google account.
 
It's not just a "little bit of work" it's downright draconian. But I suppose that we must...
 
I switched on 2-factor auth many many months ago after it was mentioned by various Googlers and people like Jeff Atwood. Seemed inconvenient until I had ids cached in trusted machines and discovered the Authenticator app.

The only gripe is that the Gingerbread screen-lock recovery process requires a sign-in to the user's Google account and isn't 2-factor aware, so I've had to set up an application password to get around this.
 
The process of setting up Google Authenticator on a Nexus 7 after you've already added an Android phone is impossibly difficult to figure out. Need waaaaay better instructions.

EDIT: It can't be done. So if you have your tablet on you but not your phone and you're prompted for the code, you'll need to enter one of your printed backup codes. And once those run out, you'll need to print new ones. Rinse and repeat. Ill conceived. I'm just going to take my chances with the regular password. Too high of a risk of being locked out of my own account. :(
 
After reading that story I turned on multifactor auth... but after 5 tries to get chrome to work on my phone with an application specific password to no success I turned it off and just changed my password...
 
+Matt Cutts - I did not know about Myth #6. Very cool. Hmmm...might turn this on for my own home computer system...(of course, if you're using password-based authentication for your own SSH servers, there is a problem there).
 
I turned it on today after reading Mat Honans article and watching the video you poseted a while back. I must say using the google authenticator app on the iphone is a breeze
 
2 step authentication is a great tool, however should be improved when replacing phones. I had serious problems when switching from BB to Androids (Which authenticator to use: the old one installed on BB, or the new app on Android? ).
Also, the compatibility gap with major Google tools (e.g. AdWords and Chrome), should be closed fast, so the application verification code is not needed. A step forward was made when a user is informed which password to use (application verification vs. the user’s password). – But , there is still a way to go….
And last : I am really worried what would be when I am overseas….
 
+Mike Keller when I set up a new phone, I didn't need to disable it. I left it on and it sent me to a page to log into the phone where I put in the password and it sent me a text with the code.
 
Setup my PC, no problem. Then went in and setup my apps that I thought of, Thunderbird, email on my phone, etc. Then, over the next several hours I had to enable more and more with more texts. Chrome sync, that needs an app password. I seemed to get into Google+ without a texted code, but I did need one for AdSense. Still haven't figured out how to input one to sync my calendar locally. I haven't even done my laptops yet... The app part is what makes this so tricky. If it does turn out that after all of this up front, I don't have to do it all again (in 30 days?) then it's worth it. If not, I'll have to figure something else out.
 
Been using it from day 1 together with application specific one time passwords and it works perfect!
:)
 
Chrome Sync does not work well with 2 factor auth. Every day, I am forced to create a new app specific password for the sync to work well.
 
without the two-step verification, nothing works, especially when I need to log in in a customers office
 
Thought you said "heart attack" Matt - it's another reason to have 2 stage verification - no Paramedic's gonna see my emails or ads for cheesy poofs
 
I have been using it on my accounts for the last few months and it has been pain free.  Well worth it!
 
Two-factor is now on for me.  Thanks for posting that Wired article. Scared the you know what out of me.
 
What if instead of asking for a password we had a set of questions (like the ones we get when we forget our password) that randomly show-up for us to answer. With the variety of questions that could be asked, and our ability to remember them easily, perhaps it would be harder for hackers to get all that info. We wouldn't have to store the questions/answers on a paper or spreadsheet or other software - we would know the answers intuitively. Plus, we could have a different series of questions (or even make-up our own) for each website we need to log into. Just an idea.
 
There just doesn't appear to be any abuse detection on the application specific passwords. If one of this is somehow cracked or retrieved (such as insure storage in a mail clients settings for example), that password can be used to get full account access, without the users knowledge.

We should be able to set specific IP ranges, at least by country.  If some random Chinese IP starts downloading my data, even with the correct password, it ain't me!  The password UI needs to show last access location and IP, rather than just the 'last used' date.
 
+Matt Cutts Is there a way to enable 2-factor authentication and still use Google Calender Sync? Or should we expect and update soon?
 
My main concern is losing my phone. If the "attacker", i.e. random guy who finds my phone, has my phone and I don't, how is this working for me?
 
+Pavlos Papageorgiou there really wouldn't be much difference. 2 step wasn't created to protect against that type of "attack". There are other security measures like password/pin to protect the contents of your device and data it contains(your Google account).

It's like asking, how a car alarm protects the car if one loses the key and remote.
 
Also, if one's phone is lost or stolen, before the new possessor gets a chance to use it, the 2FA can be disabled. If the phone itself is properly secured, it will give some time to do this.
Edit: and the 2FA can be re-enabled. This renewal will invalidate the Authenticator app running on the stolen device.
 
What good is a key if I losing it doesn't matter or give the finder an advantage? I'm sorry but this isn't making sense.

The Google Help video lists two use cases that are very unsafe (public computers, same passwords on multiple sites) and shows how 2FA makes them safer. I agree. As far as I can see it makes the safe case (unique password, using only equipment you own) less safe by introducing a factor of intermediate security i.e. our phone or phone number, and in case you lose that yet other factors of low security and reliability (a note in your wallet). I'm unimpressed.

Application-specific passwords on the other hand are always a security improvement and should be used.
 
+Pavlos Papageorgiou my analogy was a bit off.

It's 2-factor, your phone is just one part of the key, it's not the entire key. To access your account you now need 2 pieces of information. Your password same as was required before, and now an additional piece of information. How do you see this as "less safe"? The phone is just a means of delivering the authentication code (app, sms, or voice). The printable backup codes are for when you need to log in from an untrusted device and aren't able to get a code from the phone. To use them, you still need your password to the account, they aren't a back door.

I hope this makes more sense now.
 
If the additional factors have any effect, they are also partial back doors.

Suppose someone steals my immediate possessions including my phone and my wallet with the note. My phone is unlocked as I don't have anything too sensitive on it.

Normal scenario: I need to find a safe computer as quickly as possible and change my Google password. The attacker can impersonate me in this time window.

2FA scenario: I need to find a safe computer to change my password. Presumably Google will ask me for the extra code, which I don't have. In which case:

--> I can kindly ask Google to cancel 2FA, in which case how does it add security?
--> Google insists that I pass the 2FA test, in which case the attacker can impersonate me for much longer and/or my account is blocked forever. The attacker is also alerted that I'm trying to change the password.
 
First it's contradictory to say there's nothing sensitive on the phone but worry about losing access to the Google account that is on it, or someone impersonating the owner of said account.

If you're worried about this scenario, keep a printout of the wallet codes at home. Keep them in a text file on your PC. Email them to an account not linked to your main account. Add more phone numbers for 2step. You can use your home number, work number, a friend's number. There are any number of ways to make sure you are never without access to a verification code, and they are only ever needed when logging in on an untrusted device, or 30 days after marking a device trusted.

Also in this situation, you don't want to change your password when you log back into your account, you want to revoke the application specific password assigned to your phone.
 
> Contradictory to keep your phone unlocked but worry about account security.

No.

> You can plant backup codes in all kinds of places.

And these will eventually result in a different delay before you can change your password. Convenience and delay will vary depending on whether you're travelling, who you are with, what emergency has separated you from your possessions, etc.

I agree that 2FA has valid use cases but still challenge the statement that it will obviously improve security for everyone.

A security feature that I'd like is an "account freeze" function. I'd like to go to a new computer, authenticate, and then freeze my account so it logs out all devices and apps and only lets me change password. This gives me relative peace of mind until I am able to commit a new strong password to memory.
 
It will improve security for the people that care about security. For the careless, nothing will help.
 
Two-factor authentication is great, but +Matt Cutts, can you please make it part of every product's test plan?

There are big usability gaps -- like when a verification text message appears in your Android notification bar, clipped at 5 digits, with no indication that there's a 6th digit you need to see.
 
Security is about scenarios. 2FA takes two common "poor" security scenarios, reused passwords and trojan computers, and turns them into "decent" security. Great! That's commendable.

When applied to a "very good" security scenario, unique hard passwords on trusted computers, it may turn it to "good". That depends on assumptions about all kinds of things: Where's home? Is it tidy or safe? Is everything on a phone equally sensitive? Do only careless people lose their phones? This is sloppy security.

On the other hand, application-specific password seem solid. Why can't I turn on that feature without the security-reducing 2FA?

And what about the overall security design of my Google account? Mine has recovery options, which decrease security anyway to "decent", because Google encouraged those and didn't make it convenient to have high security instead. If I turn on 2FA will it blow by recovery options? It should! But I can't tell before I try. Parts are good but the whole security design is sloppy.
 
App-specific password isn't a feature, it's a workaround. It's the same as putting your password into a field in some app with some slight differences. If/when it's compromised, you can revoke it without breaking other apps, vs changing your password and having to update in every app that requires it. And I don't think you can use it to change the current password and take over an account. Other than that, they grant enough access to allow an attacker to cause serious damage.
 
I've been bringing the potential security weakness that application specific passwords exposes in 2 factor authentication but nobody seems to understand what I'm talking about. I finally feel vindicated! Leo Laporte mirrors my concerns in this week's episode of "This Week In Google!"  It turns out I'm not the crazy one here, whew!

This Week In Google 158: Forking the Meatball

Here is my original discussion about it on the chromebook forum
https://groups.google.com/d/msg/chromebook-central/ztPqOfPdypk/wbgMjpsVHcUJ
 
Just turned on two-factor authentication and now having serious sync issues on my Android phone.  What's going on?
 
+Adam Smith I'm having trouble seeing anything from your Groups link. Not sure if the problem is on my end or the link is broken. I'm interested in seeing what concerns you may have.
 
+Robert Davis are you using an android phone? I don't know if this will work with all versions (I'm on Jelly Bean).

If you setup the Google account you can no longer access as an account on the device, open the browser and go to https://accounts.google.com

You'll get a popup bar across the top asking if you want to "Sign in as" and your Google account (this is a drop down list if you have multiple accounts on the device you can select the one you need).

After that you should be able to access the 2-factor settings and fix what you need.
 
+Jeremy Perez Thanks, I updated the link with one that should work now.
 
+Robert Davis you definitely don't want to delete the account from the phone. I am not familiar with iPhones. Is there an option to stop the phone from checking the account for emails?
 
I don't have a smartphone. I'm not a luddite it's just not something that would add value to my life. Since there is no way for me to retrieve my login pin I don't see how this will help me be more secure. Am I missing something? If I lost a smart phone it would grant access to my accounts anyway.
 
+Jay Sprenkle What you're missing is that losing your phone is a different security issue. This isn't what 2-factor is meant to protect you  against. It's meant to protect you from someone trying to gain access to your account from the comfort of their remote location without trying to steal your phone or waiting for you to lose it.
 
I tried the two-factor authentication fairly soon after it launched, as I strongly support increased security. HOWEVER it was basically unusable. It was fine for native Google stuff (gmail, docs etc), but additional services (YouTube being the main one but there were others) didn't recognise the two factor system at all, and I was constantly having to set up single use passwords for those. As I access my multiple Google accounts from many different computers and mobile devices it just became an admin nightmare, and eventually I turned the whole thing off.

Have you made it any better?
Add a comment...