[LINK] Google Account [In?]Security
Scott Howard
scott at doc.net.au
Fri Aug 5 03:00:27 AEST 2011
On Thu, Jul 28, 2011 at 3:25 PM, Roger Clarke <Roger.Clarke at xamax.com.au>wrote:
> It's interesting that:
> - Google recently introduced and has now extended the availability
> of two-factor authentication
> - and then they crippled it
>
No, they didn't cripple it - it always worked this way.
"And you can use a cookie to save that second token ...
> [So during the life of the cookie it reverts to single-factor
> (password) authentication]
>
> " ... for thirty days, so you'll only have to go through the process
> once a month on the computers you use frequently."
> [So the life of the cookie is long.]
>
> [Not having a Google account, I'm in the dark here. I understand
> that Google accounts are password-protected, but is it common
> practice to ask-once and then store the password in a cookie? If so,
> the device is authenticated, but the user of the device is not. So
> anyone who steals, or just borrows, the device would have access.]
>
Yes, this is very common. Many websites do something similar, with some
form of out-of-band mechanism (often email, which may or may not really be
out-of-band) and/or additional authentication being used to provide the
additional level of security.
It's clearly not as good as using the 2-factor auth for every login, but
it's generally seen as a worthwhile compromise, especially as it
significantly reduces the overhead on the user when using a computer that
they trust.
Google has done it right in that they give the user the option whether the
additional authentication is cached or not - if you're on a shared computer
(internet cafe/etc) then you can choose not to do so.
[So does this 'periodic second-authenticator' leave the person who
> steals or borrows your handset free to gain access to your Google
> account for an average of a fortnight after they steal your phone -
> or prettymuch any time they borrow it? Or is the account still
> password-protected throughout?]
>
Only the 2nd level of authentication is cached for 30 days. The
requirements to enter the password are still the same as before (which is
still not saying that a password is required - it would depend on a number
of factors such as whether the user had selected the "Stay signed in" option
or not)
Scott
More information about the Link
mailing list