Thoughts on Google’s Two-Factor Authentication – Part One

Last updated: 08 November 2011

I read an interesting post by Chris Ripley on BlogCritics last week, looking at Google’s two-factor authentication. In case you missed its recent announcement, the search giant has made two-factor authentication available on its email accounts worldwide. This is a great step in the right direction and it’s fantastic to see people like Chris supporting the cause of strong authentication! I actually took it for a spin and set up two step verification (as they have termed it) for a Gmail account using my iPhone as the authenticator. The setup was simple, enabling one-time password authentication.

It’s good news for all of us that we can lock down our Google apps more securely now, but there are other areas where this should set a precedent for stronger authentication. And it is important to recognize that, while this is a step in the right direction to enable companies to move to cloud-based apps for productivity, this may not be a sufficient level of protection.

One such area is companies’ sensitive data. We are all aware of the economic drivers for moving to cloud-based apps. And there are plenty of companies out there trying to promote these apps to you. But consider this: no amount of savings is worth the potential damage caused by a breach to sensitive information. This is why I spend a lot of time talking and writing about layered security and the need for strong identities in the online world. One-time Password (OTP) is a good step in the right direction, but over the last year we have seen how this can be compromised. Brian Krebs did the deep dive work on who was affected by the RSA breach and the results were pretty incredible. Brand name after brand name appeared on his list proving that, in some cases, OTP is only a partial answer to the bigger security question.

The strongest form of authentication is when you implement multiple authentication factors. As discussed many times on our blog, this essentially means three categories: something you know (username) plus something you have (OTP device, certificate-based device) and, for extra security, something you are (biometric detail like a fingerprint). By increasing the factors of authentication, you essentially increase the level of security and, as a result, the level of trust given to the identity of the person accessing a computer network or account. OTP is a good step because it introduces a second factor, but if someone was able to steal the device or compromise the OTP algorithm then this diminishes the effectiveness of this as a security measure.

In the second of my posts on this topic I will explore how certificate-based identity systems can help further secure details such as email and banking accounts.

One thought on “Thoughts on Google’s Two-Factor Authentication – Part One

  1. Ray,

    I believe I heard that the US government now mandates the option for strong authentication for all ISPs in the US. Not sure this means “OTP”, I was under the impression that is supposed to specifically mean “PKI”. I agree that biometrical information increases security, just that associated costs are often to far away from commercially viable. Thus, alternate means (something ONLY you can know) may have earlier success.

    I suppose you are targeting the RSA attack as stating about OTP weakness. So yes, a single seed key for a whole system is one issue. More important: nobody really knows who logs into the system – it can be from anywhere in the world by somebody that was told the digit sequence.

    So whereas OTP systems can technically not be made fully secure, only PKI provides such security, when improved by a trustworthy authentication application. I believe this is what NIST is aiming for.

Leave a Reply

Your email address will not be published. Required fields are marked *