[LINK] Google Account [In?]Security

Roger Clarke Roger.Clarke at xamax.com.au
Fri Jul 29 08:25:24 AEST 2011 

It's interesting that:
-   Google recently introduced and has now extended the availability
     of two-factor authentication
-   and then they crippled it

Relying entirely on:
http://techcrunch.com/2011/07/28/googles-two-factor-authentication-now-live-in-150-countries-and-40-languages/

"whenever you attempt to log into your Google account you'll be 
prompted for both your 'regular' password and a second password "

"[the second password is] only available via your phone"

"In other words, logging in requires both your password (which could 
potentially be phished) and a code from something you physically have 
(which is harder to get)."

"You can opt to receive this second code via smartphone, phone call, 
or SMS (it's easiest to just use the smartphone app, which is 
available for Android, iPhone, and BlackBerry)."

So far so good.  But:

"And you can use a cookie to save that second token ...
  [So during the life of the cookie it reverts to single-factor 
(password) authentication]

" ... for thirty days, so you'll only have to go through the process 
once a month on the computers you use frequently."
[So the life of the cookie is long.]

[Not having a Google account, I'm in the dark here.  I understand 
that Google accounts are password-protected, but is it common 
practice to ask-once and then store the password in a cookie?  If so, 
the device is authenticated, but the user of the device is not.  So 
anyone who steals, or just borrows, the device would have access.]

[So does this 'periodic second-authenticator' leave the person who 
steals or borrows your handset free to gain access to your Google 
account for an average of a fortnight after they steal your phone - 
or prettymuch any time they borrow it?  Or is the account still 
password-protected throughout?]

[And, given the work that they've done to get this far, why didn't 
they include a parameter-setting that enables the user to nominate 
'year' (which is prettymuch the same as 'off), or 'month', 'week', 
'day' or 'every time'?]


"Of course, many applications and devices ask for your Google 
credentials (iCal, phones, tablets, whatever), and they don't have 
this two-factor flow built in. For these, Google lets you create 
application-specific passwords - Google will spit out a unique string 
of random letters, you type them into the application's password 
field and save it (you don't have to memorize or write down this 
password)."

[So anyone who uses your device always has access to all of your 
other Google applications?]


[This is a good example of why consumer services need to come with 
security assessments and certifications.]

[I've got no problem with informed consent, i.e. people who've been 
given a decent chance to understand the implications of what they're 
doing may actively choose an insecure option.  (Anyone want to know 
my low-level password for all those nuisance accounts that 
organisations foist on me?).

[But clear information, conservative defaults, and the availability 
of relatively secure settings and processes are critical for some 
people for at least some proportion of their accounts.]


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list