This article was published on September 1, 2012

Google’s two-factor authentication is a pain, but it’s the lesser of two evils


Google’s two-factor authentication is a pain, but it’s the lesser of two evils

Google’s newest security measure, the two-step verification system, is an absolute pain in the ass. It’s annoying, it’s device dependent, and nearly every time I get hit with its barriers while attempting to check my email, I sigh in exasperation.

It sucks, but it would suck worse if my identity were stolen. And these days, that’s the real problem.

Hacking password caches and raiding identities is not a new practice. But, within the last month, major security breaches have been happening all over the web — proof that for the large part, traditional password development isn’t enough to keep hackers out of the system. And it’s not just social media websites and gaming communities seeing break-ins — hackers have uncovered weak points in the systems of some of the most universal websites.

Take, for instance, the hacking drama of cloud giant Dropbox earlier this month. According to reports, a hacker took advantage of a password nicked from an employee account to access a document with a list of users’ email addresses. Those addresses were then targets for receiving phishing spam of all kinds. While the company’s system itself was not hacked, the scare served as a sign to bulk up security in the popular service.

But hackers don’t even need to use brute force on services to destroy someone’s life. Wired‘s Mat Honan found that out the hard way when a hacker broke into his iCloud account, wiped the memory of all of his devices and forced themselves into his Twitter. Honan had the opportunity to speak with his cyberattacker, who explained exactly how he did it and why — it turns out that Honan was a target because of his rare three-letter Twitter handle. The hacker, who goes by the name “Phobia,” told Honan he didn’t even need to use brute force to hack his identity — just a few simple facts that duped customer support at both Apple and Amazon into providing the necessary information and access to all accounts. And, Honan’s own daisy-chaining of his accounts proved to be the weak point that the hacker needed to achieve a successful break-in. Though the hacker stopped at wiping his system and having a little fun with Honan’s account as well as exploiting his link to Gizmodo, Honan recognizes the damage could have been a lot worse.

So could two-factor authentication have changed either of these stories? Well, Dropbox implemented a two-factor system just a few weeks after their hacking experience, and Honan admitted that setting it up could have prevented some of the damage he experienced personally. And other companies, like Blizzard with its Battle.net Authenticator, have been using the technique long before Google’s implementation came along to prevent its users from losing their identity and tons of money in the process.

Of course, understanding why it’s such an important piece of identity protection is rooted in the same tactic that makes it so annoying to use for users.

Google implemented two-factor authentication for enterprises all the way back in 2010, and followed up with personal account access in 2011. Its system works a lot like the traditional IT security fob, which generates a random numerical password for a given amount of seconds. Users are required to enter that specific password in order to gain access to the system — no exceptions. Google’s two-factor system takes the process out of the designated hardware, giving users the option to either receive text messages to a phone to get the password in question or to download and configure the Google Authenticator app for smartphone — a software version of traditional fobs.

The benefits of two-factor authentication are simple: it requires a user to consult a source that is not readily available on the computer and is singularly designated in order to gain access to a website. It’s statistically impossible for a hacker to be able to brute force a two-factor authentication system because the second password is randomly generated for every login. But, it also makes it impossible to access email for someone who loses their phone without contacting customer service (ironically, usually via phone or email). This extra step and reliance on a different piece of hardware can drive people nuts. But it’s important to understand how two-factor authentication exists within the context of cybersecurity to gain an accurate picture of whether the system is worth adopting.

First, it’s key to recognize that, for all intents and purposes, people on the Internet do not use passwords that are even remotely safe or protective. And while everyone jokes at the popularity and stupidity of “12345” — a password that made the top 30 of cracked passwords during the June security breach of LinkedIn and also happened to be the email password of Syrian president Bashar al-Assad — many so-called “secure” passwords with numbers, symbols and letters can be hacked with enough persistence and brute force. Another common problem is using the same password for multiple important accounts, a process that can render even the most secure passwords totally moot because once one account is compromised, all are compromised.

Many people come up with “ultra-sophisticated” passwords to dodge brute-force hacking, but this only works up to a point. I spoke with two cybersecurity geek friends of mine, particularly about the effectiveness of high-entropy passwords — the kind of technique that is marketed in a common and often-sourced XKCD comic. They both informed me that while setting up a high-entropy password seems like a smart option, it’s technically not as secure as one would think, now that brute force is giving way to smarter hacking techniques. And, it’s especially unhelpful when the same password is attached to many different website logins.

The only other technique that comes close to the effectiveness of two-factor authentication, based on discussions with knowledgeable folks and my own personal experience, is implementing a random password generator like LastPass or 1Password. This system actually relies on the idea that users don’t want to remember any more junk they don’t have to — all passwords can be stored within the system and expedited for easy one-click log-ins. But it also contains the liability of relying on a single piece of software that’s also accessed via password to work. As one friend pointed out: if a password website’s security system were to be compromised, or if a brute force attack were carried out to unlock all passwords, there’s still a loose thread and therefore a vulnerability for hacking. Furthermore, these systems often require some cash upfront if users are looking for total and complete control over all passwords from all devices. It’s still safer than traditional passwords, but it’s not a panacea for hacking problems.

At its most basic level, passwords are fundamentally flawed. In order to achieve a higher level of cybersecurity from a user standpoint, convenience must be sacrificed for the greater good. Two-factor authentication is free, relatively simple, and one of the safest ways to keep your identity on lock. And Google has done a good job porting it to its services.

Yes, it’s still a pain in the ass, but go turn it on right now. You’ll thank me for it.

Image Credit: Auntie P

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with


Published
Back to top