Deviant Logo

Google’s 2FA actually LESS secure than a strong password

post details top
Jun 25th, 2011
Technology
post details top

I tried using Google’s two factor authentication, where you install an app on your phone and it generates a code for you that you need in addition to your password in order to access your Google data.

The major problem with this is not all clients support it. You are forced to create a unique password for each of these clients, so that they don’t have to supply the 2nd factor (the PIN code on your phone). This includes clients such as iChat, Adium, Apple Mail, Thunderbird, Outlook, etc.

I think it might actually make your account *less* secure unless you *only* use Google services through their web interfaces that support the 2FA. If you use iChat, Mail, etc, you are adding additional keys that unlock the same lock. This increases the brute force possibilities. You don’t even get to create those keys yourself, they are chosen for you.

Until all of these clients support 2FA, I say pick a strong password and forget 2FA.

4 Comments

  • jeremiahfelt

    June 25, 2011 at 4:13 pm

    I don’t get it – why more clients do not seamlessly support 2FA anyway. “But their interdace yadda yadda.” Bullplop.

    No client should ever present a challenge for anything more than username and password – otherwise, it gives away the 2FA secret. The fact that you’re bothering to use 2FA. The fact that you’re bothering with a better lock.

    In cases where you have 2FA, and the client only provides fields for username and password, the password field should contain both factors, concatenated – either seamlessly or with a control character.

    Par exampla, if my password is ‘banana’ and my second factor is 235689, then the contents of the password field is banana235689.

    Problem solved.

  • Ben Woodruff

    June 25, 2011 at 4:29 pm

    Thanks for the comment. I completely agree.

  • Steven Smith

    July 19, 2011 at 6:08 pm

    This is one of many reasons I ditched the BlackBerry… but it was PayPal-related. They tried to force you to “associate” your PayPal account with your BlackBerry account. After the fifth time of having to enter my password and security token just because I dared to open the web browser, I decided it was time for a phone that didn’t suck.

    For the record, PayPal *does* support this sort of hidden 2FA, but with a somewhat less-than-ideal implementation. You can enter in the field, but if you don’t enter the nonce, it gives away the fact that you’re using 2FA and asks for your nonce. This means that a determined attacker can brute-force your password, and then actually get confirmation that you’re using 2FA or not.

    Yay information disclosure vuln.

  • Jeff B

    October 13, 2011 at 9:04 am

    I agree to a point. However, the application-specific passwords are sixteen alphabetic characters. If we were able to make a billion password guesses a second it would take roughly 1.3 million years to guess one of these application-specific passwords (26^16 / 1,000,000,000 / 86,400 / 365). Have 10 of them? Now it’s 130,000 years instead. I think Google may notice a billion password guesses a second as the passwords alone would be 128Gbps excluding overhead.

    The benefit of 2FA is that you don’t need to remember a 16 character password to be secure. You also don’t need to generate application-specific passwords if you choose not to, but if you suspect one is compromised you can always delete it and create a new one.

    The downside of 2FA is that Google needs better support for Android phones, which currently need an application-specific password.

Leave a Reply

Recent Posts

Categories

Blogroll