One of my jobs is browbeating people to turn on 2-Step Verification, and it’s working; more and more people are. Today I learned that we’ve got some open-source technology you can use to add 2-factor to your own app.
Please Get Safe · Seriously, if you haven’t already, and if someone hacking your Google account would screw up your life, then start here right now and come back after you’ve turned it on. I’ll wait.
What, you didn’t do it? You’re not convinced? You think it’ll be inconvenient? Wrong. It’s super-smooth; every so often, when Google asks you to refresh your login, it’ll ask you to enter a number that we send you by SMS. Don’t like SMS? No problemo, just grab the Google Authenticator app for your Android or Blackberry or iOS device, and it’ll generate a code locally.
It’s just not inconvenient. What is inconvenient is having to apologize to everyone when your account gets hacked and your friends all get spammed or worse, scammed. So please, get on board.
Add It To Your App · I don’t think that apps should be doing their own authentication, I think they should be farming that out to Identity Providers, the better to preserve the sanity of their users. But if you really must authenticate people, give serious thought to offering 2-factor.
It turns out that your app can use Authenticator too; it works with those OATH TOTP constructs. (Yes, that’s OATH not OAuth, life is confusing.) Dropbox is already doing this, so you’d be in good company.
Authenticator is also an open-source project, which makes it easier to be confident about what it does and how it works. Also, it would be perfectly reasonable and OK for you to fork it (Apache license) for your own purposes.
Comment feed for ongoing:
From: Eric H (Jun 24 2013, at 12:06)
I tried two-factor long ago, when it was first announced; and it _was_ inconvenient. I recall having to use the Authenticator app. Just tried it again, because you're so persistent, and (assuming that I always have my phone with me, which is pretty likely) it indeed seems easy. Thanks for nagging :)
From: Bob Monsour (Jun 24 2013, at 12:14)
Ok, you got me. I'm in. Definitely painless and I feel safer already. Thanks.
From: Michael MacLeod (Jun 24 2013, at 12:26)
My authenticator app has three codes in it at present. There's Google, LastPass, and my servers. I added the Google Auth PAM module on all my servers, set it up on one, and copied the .google_authenticator file to each of my servers. It would be dead simple to push these files via puppet or any other configuration management engine.
At one time I also had my work laptop setup with two factor for local access, but I no longer run Linux on my it now.
A deft combination of ssh keys, ssh-agents, and google auth can give you a very convenient and also secure work environment. The truly serious could probably incorporate kerberos as well for some real SSO type glue, but I haven't bothered.
From: David (Jun 24 2013, at 14:07)
What if I don't have a phone or my phone is not reliable? Locking myself out (even temporarily) would be almost be as painful as being hacked.
Turns out, I do have options to prevent locking myself out, such as https://support.google.com/accounts/answer/1187538?hl=en to ease that pain, but they are not advertised and may get lost or stolen (like my phone).
How about http://blog.jcuff.net/2011/02/cli-java-based-google-authenticator.html ? Do you endorse it, or deem secure enough? How about the other implementations mentioned at http://en.wikipedia.org/wiki/Google_Authenticator ?
How any of these is more secure than a public key (as in ssh), possibly with a server-side password too, which turns out to be also more convenient than this two-password approach? My password is strong, not reused to any other site, and I am not vulnerable to phishing. How are these methods more secure than that?
Of course your approach does not save people from phishing attacks, only (maybe) a scary-looking browser warning can.
From: Mark Stanislav (Jun 24 2013, at 14:59)
Nice post. There are definitely numerous ways to achieve the same end goal (like most things in tech :P). But most importantly, utilizing two-factor at all is key.
If you or anyone else is looking for a bit more of a robust platform to build from, please take a look at Duo Security. We've got plenty of open-source (https://github.com/duosecurity) code ready to help integrate into just about any platform you need. We also have a full REST API to leverage (https://www.duosecurity.com/docs/authapi-guide).
If you've never checked out Duo Push (https://www.duosecurity.com/duo-push) you may find it a bit more enjoyable & powerful than code generation. However, we definitely support all the other standard types of 2FA beyond our push including Phone Callback, SMS, hardware tokens (OATH/Yubi-Key), soft tokens, etc. Our mobile app also supports TOTP so you can still utilize Google authenticator and other TOTP compliant services (Dropbox, LastPass, etc.)
From: John Kienitz (Jun 24 2013, at 15:39)
Authenticator needs xzing barcode reader to read bar codes. If two factor is already on, you cannot download it from the play store.
I tried entering my email address and code it gave me, at it seemed to work in authenticator, but the numbers it gave me did not work for logging in.
I had to turn off two factor, install xzing, turn two factor back on, and then read the barcode. it generated another account that looked like the same email address, but the numbers for the new account worked.
I am not sure this is worth it. There is no cell service at my home, so the phone is usually turned off in my coat.
I feel that it is more likely that I will lose access to my account now, instead of having my password guessed.
From: Doug K (Jun 24 2013, at 15:51)
turned it on after James Fallows wrote about it, turned it off when travelling since US phones and consequently SMS don't work in those foreign lands, at least not without copious surcharges and new hardware. Of course I could get a smartphone and pay Verizon its $400/year data plan penalty surcharge, but frankly can't afford it at this stage.
The problem remains that lots of people without smartphones or SMS access still use email..
From: Janne (Jun 24 2013, at 17:50)
I have it turned on. I do like the security. But it <i>is</i> pretty inconvenient and confusing, and I would not recommend somebody turn it on unless they're decently tech savvy already.
You've got a regular Google password; a time-based code that can be generated from one device only; a printout of just-in-case codes/passwords just in case; and a pile of one-time passwords that most apps seem to need in practice.
They are all related in mysterious ways, and I've not been able to build myself a mental model that explains how and why. So I have no idea how each contribute to the security or how important each one is.
That paper pad of codes, for instance, is that critically important to keep safe at all costs or not? Can I keep them together with my phone that has the Authenticator app or must they absolutely be separate? How about the base Google password? What do I do with one-time passwords; do I delete them religiously or keep them around? And why are the pages with the one-time passwords and the rest hidden away and hard to find? When I need a new one-time password the last thing I want is spend five minutes trying to hunt that place down again.
If this is more than a little confusing to me, I am sure non-technical people such as my wife will quickly give up on this; it's that or stop using Google services altogether.
From: J. King (Jun 24 2013, at 19:35)
What if I don't have a phone which can receive SMS and don't have an Android, Blackberry or iOS device? This is not a rhetorical question. I haven't been able to access my [Windows? Microsoft? What -do- they call it now?] Live account for months because while they claim to have other means than SMS to unblock my account, said other means is apparently broken.
From: Paul Hoffman (Jun 24 2013, at 21:19)
Turned on two-factor, went fine for Google web sites. The next time my IM client (Adium) went to re-authenticate my GTalk login, it failed hard: would not take my password, even though that password still worked fine on the Google web sites. Logged in and turned off two-factor, and my IM started working fine immediately.
Yes, I'll migrate off of GTalk for Jabber ASAP. No, this is not seamless.
From: Gavin B (Jun 24 2013, at 22:40)
After a week like that (Prism/Snowden etc), why would anyone with a sane mind give their mobile number to Google & Co?
Browbeat as much as you like but find another second factor that's not so invasive Tim.
From: Dave S. (Jun 24 2013, at 23:19)
After a year-plus of using the 2 factor auth app, it still boggles my mind that I have to temporarily commit a 6 digit number to memory, quickly switch apps, and hope that I can punch it in accurately before the clock runs down.
Copy and paste. Why it can't do copy and paste, I'll never understand.
From: Philou (Jun 25 2013, at 03:09)
For those of you looking for a more professional approach, I found a very interesting 2FA solution (OpenOTP) at http://www.rcdevs.com/.
It not a cloud service so you can install the 2FA auth server yourself and get 100% control on your security. And it runs on Linux :-).
The guys provide plenty of integration in open-source like VPN and a PAM module...
GA works perfectly and enrolls with the QR. And it's not limited to GA: There is a bunch of other 2FA systems like on-demand SMS OTP.
I recommend it especially if you have centralized your accounts in LDAP as this solution works with LDAP. And this one is totally free for personal use.
From: Rob Larsen (Jun 25 2013, at 15:44)
You should mention that it's not a breeze to set up if you have multiple Google accounts. I set it up for one account. That was easy. I've just had a blast trying to set it up for the second account. I'm logged in. I'm logged out. I'm logged in. I'm logged out.
Thankfully I'm the administrator on the other account (if not, it doesn't seem to be possible, it's all two factor or nothing), but even finding the "Security" button took some doing. It was "conveniently" hidden in a "more options" button at the bottom of the screen- because that's helpful. And then I have to wait to install the Authenticator app even though it's already installed, since the set up process is very rigid. There's no "I've already got the app" button. I have to get the useless text message, etc. and then wait. And... if, after waiting you say "I'm done with setup" it times out if you don't log in soon enough. I've got a nice collection of these text messages. Maddening.
Of course, none of this is a surprise. Managing one Google account is easy. Managing two is full of little indignities.
From: penalba (Jun 26 2013, at 07:32)
@Dave S: on iOS, at least, you can copy/paste from Authenticator: double-tap on the six digit code, and a copy popup appears.
From: John Gill (Jun 29 2013, at 08:52)
Sorry Tim, this is inconvenient. Turned it on, worked fine on my laptop. Went to my blackberry and now cannot log into any google services there.
Will try again when this is fixed.
From: Laura Hamilton (Jul 20 2013, at 09:33)
Great post. I always use two-factor authentication for every site/service that offers it. Helps me sleep easily at night :)
Hopefully more will add support soon. Online banks, I'm looking at you!