So you want to secure your Google Account? I know a bit about deploying 2 factor authentication (former COO/CTO of VASCO Data Security).
For a techie, I get goose bumps watching this the QR work. As a sales person trying to explain how it works, I get nervous twitches. As a support person I go “OMG.” And finally as a OTP specialist, I am absolutely horrified by my demo below – it shows the main weakness in the system – the QR code is reusable when knuckleheads like me attempt so show how this works.
Lets walk through the Google use case ….
First, figure out if you are ready to enter….
Select your device of choice and my iPhone is the perfect body appendage to select….
Now the cool part, click “next” and very cool QR code comes up to
Pull out your Iphone app (first download the Google Authenticator app from the iTunes App store – free) and fire it up….
1)
2)
3)
Now the really bad part…. The QR code above can be scanned by you (like right now) and you too can have my OTP for my account. If anybody in the middle captures the cool QR code image and posts it up on the net (like I did), then that sucker will populate any iPhone with my identity.
I have invalidated the above QR code, but not after gasping in horror as my phone scanned the picture above and installed a duplicate OTP displaying the exact same rolling OTP as my first scan produced – it was an “oh God” moment.
Now below you verify the OTP so the loop is closed…
And now comes the creepy backdoor stuff that is why we use OTP’s to begin with – sticky notes with passwords stuck to the computer….
Yep. here are your 10 passwords you can stick to your computer for when your iPhone is forgotten and you are locked out….
This is better, but assuming my iPhone is lost, sending a SMS isn’t going to help much, so probably should go with voice messages. If this fails, Google offers a account recovery menu from hell (which is what it should be so people only take this trip a few times).
They check it out to make sure it works…..
And it did….
Now for my very complicated static password for all those apps that are not interactive (like Outlook, or email on phones, etc). All Google does here is scare you a bit. Actual static password several pages down….
Now it is time to turn this sucker on….
I’m live (I hope)….
Here we go for the first test drive…. user id and my normal password are still required…..
And here we are! I’m prompted for 2 factor authentication code which is a time based One Time Based password which I’m assuming is OATH compliant.
I go to my iPhone and fire up Google Authenticator app and there is my OTP along with the account it goes with (not real good to tell someone who picks up my phone which account to use the OTP with)…
Enter it in (you have to be fast because this sucker is on a tight 30 second window)…
I’m now all set up and ready to roll except I have to take care of those pesky apps that have no dialog capability. I need a static complicated password in addition to my old remembered static password. Click the “Create Passwords” to get started….
Now I get a confusing list of information. First, I see all the places that I’ve allowed my Google id to be used from – if I want I can revoke them here. Thanks. But the real deal is “Application-specific” passwords.
This should be “lets create a list of static passwords that you can give a label to and we’ll accept any of those complicated static passwords instead of your “userid/your old remembered static password/OTP.” Get that?
I didn’t at first, so I created one label and then hit create password and cut and pasted it into my Picasa, Outlook, iPad, and iPhone email apps. I could have created a bunch of passwords if I wanted.
I also could print them out and tape them next to the 10 backup OTP’s taped to the wall too.
Now I’m all done and totally secure, I get a nice email to tell my how much better things are. I now have the following:
1) Google identity – jhaggard1
2) Google static password – xxxxxxxxx
3) Google Authenticator OTP registered on my iPhone for generating my OTP
4) A List of Google generated static passwords to use when logon doesn’t support interactive OTP’s
5) A list of 10 backdoor OTP’s in case I need them taped to the wall.
Wow I feel better already….not.
The advertising company Google isn't into security but their goal is convenience to get as much sign-ups as possible.
Still the procedure is way too complex for most of the world population.
Posted by: Eddy Cormon | February 20, 2011 at 12:01 AM