Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Two-Factor Auth: Can we just Google the response? - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Two-Factor Auth: Can we just Google the response?

Google announced earlier that they are now offering two-factor authentication to all of their users.  More information is available at the Google Blog.  This is an extension to the service offered to their Apps customers last month.  While normally I would think that “advertising” a service wouldn’t fit in this diary, this is a little more then the regular new feature.  In mind opinion, it’s a big change in how people think about two-factor authentication.


We have known for years that passwords are one of the weakest points in our security controls.  Users pick weak ones or share them with anyone who asks nicely.  Even security consulting firms will fall for simple social engineering attacks and reveal them.  One answer that has been proposed often, but is shot down almost as often.  Clients often tell me that the cost is to high to roll out a solution, which I have always felt was the wrong answer.  Of course, I am the paranoid security nerd.  When this happens, I propose one of two solutions that try to help lower the cost.


The first is where the site or organization passes on the cost to the user.  Blizzard does this for their accounts.  If the user feels that they should use two-factor authentication, they can either pay for a fob (the token generator) or install a smart-phone application.  Of course I always laugh that my virtual gold in my World of Warcraft account is safer then my real “gold” in my bank account. 


The second route is the one Google has chosen.  When a user activates the system, their log on process has an extra step.  After entering their password, they receive a phone call or an SMS that has the token.  They enter this into the form and if it’s correct, they gain access to their account.  This lowers the cost of deployment because it removes the needs for a fob to be sent to every user.


So the questions are pretty simple.  First, how do you think two-factor authentication should be implemented and how do you deal with the cost?  Second, alliance or horde? ;-)


Kevin Johnson

Secure Ideas


6 Posts
Feb 11th 2011
In the org where I work all remote access requires 2 factor auth because of a simple business case: Can we afford not to? Luckily in my org's industry it was an easy answer, no. But I think highlighting cases like WoW, and Google will hopefully start to add weight to arguments for this and the costs seems to be going down as well.

And, Alliance :)

14 Posts
Sorry but i thought 2 factor meant something you know + something you have. What is the something you have in this solution ? This is not 2 factor authentication as the virtual "something you have" is owned by google and not you !
13 Posts
as the images show in this article:

As you can see on the second image: You are able to "stay signed in" AND to remember verification Code (ie 2nd factor) for a period of 30 days.
I did not test that but I think it looks like as it is ... you can bypass google's 2nd factor security just a click away.
1 Posts
The somehting you have in this situation is your cell phone.
1 Posts
Michael: I agree that the stay signed in is a problem. I would have hoped that Google would remove that "feature" if 2FA was requested.


6 Posts
The day blizz offered the token for order is the day I happily sent them US$ 5.99. (And no, I don't pay for the vanity pets...)

With "features" like the iPhone/iOS encryption key harvesting bug discussed yesterday on slashdot, is there a viable alternative to hard tokens?

Oh and FOR THE HORDE!!!!!

3 Posts

I agree that the $5.99 was a easy cost to send in. (I have to admit to buying one vanity pet. The one that they donated the cost was way to fun to pass up!)

While I agree that a cell phone is not the most secure system in the world, I don't feel that the risks you and others have mentioned make it unviable as an alternative.


6 Posts

Great post. I believe that with so many people that have both a Gmail account and a smart phone, it makes a whole lot of sense to leverage both to implement a two-factor authentication system.

The decision by Google to make this available to its users should be seen as a conversation starter. Your comment about your non-real gold being more secure than your real gold hits home.

I say give it a try and look for opportunities to invite our non-security nerd friends into the conversation. Their gold needs securing, for sure.


100 Posts
ISC Handler
My concern is that the phone is going to become the new password, then again, you could end up with as many tokens as passwords on your key chain. Pick your poison.

17 Posts
"The first is where the site or organization passes on the cost to the user. (...) The second route is the one Google has chosen."

This is still passing the cost to the user in a sense. Text messages and phone calls are not free. Sure, I have unlimited texts and about 4,000 unused rollover minutes, but that doesn't mean I didn't pay for those things. May people still drop 10-20 cents per text message. At that rate, a mere 30-60 logins will run up a bill equal to that of Blizzard's FOB.

It's a good idea, and I applaud Google for their efforts (and the fact that they offer this enhanced security system), but it's still not a perfect solution.
First, I'd say 1-1/2 factors. Second, this is the old web of trust, except it's between virtual identities instead of touchable people.
Warcraft actually does something even more interesting - if you have the fob / phone app, you are given an "in-game" pet that follows your characters around. If you discontinue the fob/phone service, the pet goes away. That feature allows players to prove they have the fob service to other players, and those other players can then assign higher levels of trust.

But, there's an obvious caveat. If a player has the pet, you cannot have higher confidence that the person at the keyboard is who they claim to be, since a 2nd party roommate / child / spouse will likely have unfettered access to the fob. What the fob *does* do is reduce the odds of 3rd party access.

I spent last night chain-killing some horde priest. QQ MOAR, N00b!

42 Posts
Dual-authentication is what this amounts to; u send them your password, they send you their confirmation. It is also considered two-factor: It's something you have and something they know
9 Posts
It seems to me that the Google Blog post avoids using 2FA to describe their advanced security feature, consistently using the term "2-step verification" throughout the post. Since they obviously didn't want to call it 2FA, it doesn't make much sense to criticize it for not being 2FA.

(FWIW though, it looks an awful lot like 2FA to me!)
2 Posts
I think it is splitting hairs to debate whether this is two-factor or not.

It is, however, two channel authentication.

From the other side of this (a business sending out the SMS messages) it is not cheap either. SMS trunk lines cost the business, either by tapping in or though a service that charges anywhere from US$0.03 to US$0.12 per SMS. If you have lots of users signing in frequently, an SMS trunk line of your own makes sense with its set monthly fee. However, the FOB may cost less if you have few users with frequent logins compared to a per message SMS charge.
Nathan Christiansen

20 Posts
Nathan raises a good point. In Google's case this is a sunk cost because they already offer SMS messaging as part of Googel Voice.
I am shocked you guys still trust google.

After their brazen global data syphoning and now the fact that google is in partnership with the NSA. Just google it :)

To me this 2factor auth is unacceptable and is a false sense of "real" security.

Now if they had a visual keypad/point and click as a 2 factor auth to avoid keylogging would be ideal.

7 Posts
"This is still passing the cost to the user in a sense. Text messages and phone calls are not free."

Yes, you're paying, but you're paying your cellular provider, not Google. Google doesn't get any of this, so they're not passing on their costs to you. They're paying to send the text messages, you're paying to receive them, and the cellcos in the middle are getting it coming and going.

8 Posts
People with complaints about how Google does business: Your complaints are privacy related, and irrelevant to the question of "How to best secure a Google Account?" The user has already decided they want to use Google at that point. Google has a motive to protect your privacy against others; if it's stolen, your info is worth less to Google.
6 Posts
Is there any information on how this will affect POP3/IMAP with gmail? From the looks of it this will either make POP3/IMAP completely useless or they will bypass the two factor auth.

7 Posts

Sign Up for Free or Log In to start participating in the conversation!