[LINK] Google Account [In?]Security

Scott Howard scott at doc.net.au
Fri Aug 5 03:00:27 AEST 2011


On Thu, Jul 28, 2011 at 3:25 PM, Roger Clarke <Roger.Clarke at xamax.com.au>wrote:

> It's interesting that:
> -   Google recently introduced and has now extended the availability
>     of two-factor authentication
> -   and then they crippled it
>

No, they didn't cripple it - it always worked this way.


 "And you can use a cookie to save that second token ...
>  [So during the life of the cookie it reverts to single-factor
> (password) authentication]
>
> " ... for thirty days, so you'll only have to go through the process
> once a month on the computers you use frequently."
> [So the life of the cookie is long.]
>
> [Not having a Google account, I'm in the dark here.  I understand
> that Google accounts are password-protected, but is it common
> practice to ask-once and then store the password in a cookie?  If so,
> the device is authenticated, but the user of the device is not.  So
> anyone who steals, or just borrows, the device would have access.]
>

Yes, this is very common.  Many websites do something similar, with some
form of out-of-band mechanism (often email, which may or may not really be
out-of-band) and/or additional authentication being used to provide the
additional level of security.

It's clearly not as good as using the 2-factor auth for every login, but
it's generally seen as a worthwhile compromise, especially as it
significantly reduces the overhead on the user when using a computer that
they trust.

Google has done it right in that they give the user the option whether the
additional authentication is cached or not - if you're on a shared computer
(internet cafe/etc) then you can choose not to do so.


 [So does this 'periodic second-authenticator' leave the person who
> steals or borrows your handset free to gain access to your Google
> account for an average of a fortnight after they steal your phone -
> or prettymuch any time they borrow it?  Or is the account still
> password-protected throughout?]
>

Only the 2nd level of authentication is cached for 30 days.  The
requirements to enter the password are still the same as before (which is
still not saying that a password is required - it would depend on a number
of factors such as whether the user had selected the "Stay signed in" option
or not)

  Scott



More information about the Link mailing list