Neil Turner's Blog

Blogging about technology and randomness since 2002

2-Factor authentication on Google

Water wheel
Google has recently enabled two-factor authentication for all users with a Google Account. This means that, when you log in, you provide two pieces of secret information, rather than just a password (which would be ‘one-factor’ authentication). This second piece is a 6-digit code that is generated randomly every 30 seconds from another device.

This improves security by ensuring that, even when a third party knows your password, they still cannot log into your account without the 6-digit code (although see below). Think of it like a PIN number – a thief could steal your credit card but wouldn’t be able to get money out of an ATM without knowing the PIN number.

Some banks have started using two-factor authentication for their online banking services – as well as your username and password, you are asked to enter a code generated by a small electronic device on your keyring. Blizzard Entertainment offers a similar device for World of Warcraft and Starcraft II players, as well as a free iPhone app that does the same thing.

So Google isn’t the first to offer this – it’s actually reasonably well tried and tested. To activate it, log into your account and click the ‘Using 2-step verification’ link. Google will then walk you through setting up your account for two-factor authentication.

There are a variety of options for the second factor. There are apps for the iPhone and Android phones, but you can also receive a code by text message to a mobile phone number that you provide during the initial setup. You’ll also be asked to provide a backup system in case you lose your phone; in my case, Google will phone my work number and a computer will read a number to me.

I mentioned there’s a caveat. Two-factor authentication works great on Google’s various web sites, but falls down if you access Google services through other apps, such as IMAP for Gmail, or CalDAV for Google Calendar, which aren’t really designed with two-factor authentication in mind. As soon as you enable two-factor authentication, any attempts to access data over these protocols will see your login fail.

Thankfully, there’s a way around it, in the form of application-specific passwords. Essentially, for each method of connecting to your Google Account, you can create a separate password. Each password can then be revoked if you find someone using it without your permission, and once generated, passwords cannot be viewed again. Furthermore, the passwords can’t be used to get into your account on the Google web site (they would need your main password and verification code), so it wouldn’t be possible for a hacker to change your main password, or deactivate the two-factor system. It’s not a perfect solution, though.

I’ve turned on two-factor authentication because I have a lot of important personal data in my Google Account – all my contacts, my calendars and hosting details for this site – and wouldn’t want anyone obtaining unauthorised access. The workarounds for CalDAV and IMAP are a bit of a pain, but I feel it’s worth it for the piece of mind.

Whilst we’re on the subject of Google Account security, if you use Firefox I’d recommend installing the HTTPS Everywhere addon, which forces the use of SSL/TLS on most parts of Google. I would, however, suggest disabling the ‘Google APIs’ option in its preferences as this may break some other web sites. Still, it will help to prevent your Google Account data being caught be man-in-the-middle attacks.

One Comment

  1. This was released just in time, actually – my wife’s Gmail account was hacked from Germany right around the same time they released 2-factor authentication. We were able to set it up for her, but it wasn’t made clear enough that her Android-powered cell phone would now need its own password, rather than her new password plus the new extra factor. The way they’ve handled apps using Gmail is a bit fiddly, but the main site is fine. We did eventually figure it out for her phone, and she’s back up and running now.