When is Two Factor Authentication not Two Factor Authentication?

Posted on by

There’s been a lot of noise in the popular technology press around the recent unfortunate hack of a Wired contributor’s digital life, which saw his iPhone wiped, his iPad wiped, his MacBook wiped, his gMail account wiped…  All to get at his Twitter account.

It all started from Apple allowing a me.com email address to be reset with practically no security required: just card billing address and the last 4 digits…  Just think how many accounts you’ve created on the web that show that information.  Amazon shows the last 4 digits of a payment card, as do the majority.

Still feeling smug?  It’s a chilling reminder to all of us that:

  • We need to use better passwords, and not recycle stuff
  • Social engineering renders passwords obsolete
  • The cloud is not suitable to be your only storage
  • Passwords are really not suitable as a security mechanism any more

On the back of this, many articles have said “TURN ON TWO FACTOR AUTHENTICATION”, sometimes in caps, for GMail.  There’s even been education as to what 2FA is, which is good.

But for clarity, 2FA is using 2 factors of security: those factors are, “what you know, what you have, what you are”.

GMail 2FA security, when using the web and when turned on, relies on you giving Google your mobile number, and them sending you an SMS when you want to log in.  You then enter the SMS, and you’re in.

SMS costs money: why are Google giving this away for free?  Could it be that they’ve now added a phone number to your profile, making you more attractive to advertisers?  Or is it out of the goodness of their heart?

And what about applications?  I collect mail from offline clients, as I’m not always connected to the net/cloud/whatever.  I also like a backup that I’m in control of.

GMail allows you to enable two factor authentication using application access (for POP/IMAP access, calendar access, Google Drive access) by setting up application specific passwords.  These are passwords that are not intended for humans so are long, complex and nigh on impossible to remember.

But it’s a password.  And if it’s compromised, it’s compromised anywhere but only for that application.

And a happy ending for Mat: he got his most precious data back… for $1700

Leave a Reply