Review: Google's Two Factor Authentication

Earlier this year, Google launched Two Factor Authentication, and some of my security conscious friends switched to it. After some persuasion, I was finally talked into giving it a try last night.

I'm famously opposed to security, mostly because most of the time security costs way more than the benefits it describes. I don't really know how secure two factor authentication is, since I don't keep my phones locked with a pattern, and while I've never had a phone stolen, it's probably much more likely to be stolen than say, my Kindle.

Turning on two factor authentication isn't actually all that easy. You have to get to your "My Account" settings, rather than your settings in gmail, which was the first place I look. The next thing they tell you is that they'll send authentication code to your phone. I use my Google Voice # (available globally on my Google Profile, just to show how much I really don't care about privacy), and then you're given a set of backup one-time use verification codes, which I promptly dumped onto my file server, so that when I do lose my phone (and probably my wallet at the same time), I'll still at least be able to get to my accounts.

What they don't tell you is that your verification code gets sent via SMS to your Google voice account, but the minute you turn on authentication, you get logged out of all your Google services and your Android phone loses access to Google voice as well. Since I deliberately didn't turn on SMS forwarding (a good percentage of SMS messages I receive are effectively junk mail or duplicate Google voice messages), I also immediately had no way of getting the authentication code to get back into my account. Good thing I had those backup verification codes!

Once I logged back in, I discovered I had to now generate verification codes for Google Music, my android phone, and any other service that my Google identity was used for. Fortunately, I don't use Google identities for anything other than Google products, but this poor journalist apparently didn't do that and immediately turned off two-factor authentication as being too unwieldy. For instance, if I had used my primary gmail account to push changes to books.piaw.net, then every time I did a push I'd have to type in two passwords. Now, I don't do pushes all that often, but there are days when I do half a dozen pushes, and that would be really annoying. Fortunately, I use separate accounts for all that. In fact, 90% of my e-commerce transactions go into a different e-mail account, precisely because whenever I hand a vendor an e-mail address I assume I'm going to get spammed.

The funny thing is, is that for 90% of my web-use, I really couldn't care less about security. If someone hacked into my Quora account, for instance, maybe he could post anti-Semitic messages into my Quora setting, and it'd take me forever to clean it up, but sticks and stones will break my bones and all that. Ironically, that means that for most web-sites, what I really want is Facebook Connect with next to no security, not heightened security for e-mail.

The real irony is that the sites where I really do care about security, such as Vanguard or any of my banks where I can actually transfer/wire huge amounts of money, I don't actually have the option to implement two-factor authentication.

All this ties into Steve Yegge's infamous post from two days ago:

Like anything else big and important in life, Accessibility has an evil twin who, jilted by the unbalanced affection displayed by their parents in their youth, has grown into an equally powerful Arch-Nemesis (yes, there's more than one nemesis to accessibility) named Security. And boy howdy are the two ever at odds. But I'll argue that Accessibility is actually more important than Security because dialing Accessibility to zero means you have no product at all, whereas dialing Security to zero can still get you a reasonably successful product such as the Playstation Network.

The amount of pain a user has to suffer to get enhanced security should be rewarded by an appropriate increase in security about the things he cares about. In this case, I get an increase in e-mail security, but it's not really for the cases I care the most about, so most of the time it's going to be a major pain in the ass. We'll see how much pain I'll put up with before I turn two-factor authentication off completely.

For everyone else, I cannot recommend this if you treat your Google account the way I treat my Facebook account: as an all-purpose identity login to most web-sites that I consider low security. If you travel a lot and use internet cafes without your own machine, then I think this could give you better security and peace of mind... until your phone or wallet (which has all your one-time pads) gets stolen. I wish Google had sold this to all the banks I cared about rather than just implementing it on its own properties.

P.S. It just struck me that the nightmare scenario is far worse than losing access to e-mail. If you store for instance, back up passport scans on Google docs, and you get mugged and you get your wallet and phone taken away while you travel, you lose access to those passport scans, which might be required to get you home. For this reason, a better solution for the security paranoid would be to set up a temporary travel email account and have mail forwarded there. When I asked a Google employee about this, her solution would have been to login to her work account with a separate security dongle that was kept separate from her phone. Obviously, this does not work for you if you don't have that separate security dongle.

P.P.S. XiaoQin points out that Facebook has a much smarter authentication than 2-factor authentication. When you login from a new computer, Facebook authenticates you by asking you to name your friends from pictures they've posted on their album (which have been tagged). Not only is this information difficult to steal, it's also damn near impossible for you to forget. Another reason why Facebook's predilection for smart hacks will lead to it being the single-signon for the internet.