Monday, November 3, 2014

New Gadget

Not at all moto-related though you may be interested if you use the Chrome browser and use Blogger to host your blog. On October 21, 2014, Google added support for tokens as an additional factor for authentication. Hopefully you already have two-factor authentication enabled which means that you need something you know and something you have to log into your account. Typically this has been a password (something you know) and your cell phone (something you have).

The cell phone component is typically the Google Authenticator app which gives you a six digit code that you would type in on the web page to complete the login process. The "problem" is that the authenticator is time based and if the time on your phone is not synced properly, the code displayed would be wrong as they are only valid for about one minute. This has happened to me more than once such as whenever I am out of the country (including Canada). Google does provide a backup process involving text messages, phone calls or pre-printed lists of one-time use codes.

The device pictured is the FIDO compliant U2F security key made by Yubico that I picked up on Amazon shortly after I saw the announcement. Now when logging into Google, after entering my password, I just insert the key into a USB port and tap the circle then remove the key. Pretty straight forward. The downside is that, at least for now, you have to be using the Chrome browser. U2F stands for Universal 2nd Factor and now that it has been adopted by Google it may speed up adoption. Using this device doesn't mean that I can disable the Google Authenticator as it is still needed for mobile applications (no USB on the phone) or other browsers.

I also use Duo Security for second factor and they also support the security keys but I haven't had an opportunity to set it up.


4 comments:

  1. I have always received a phone call for the code. One time I didn't get it in for several minutes and panicked and asked for another one. I have no idea if it really did expire, but from what you say it must be true- one minute means one minute.

    ReplyDelete
    Replies
    1. Just about anything for 2nd factor is huge improvement to just a password. I used the phone call before deciding to trust the Authenticator app. I've used hardware tokens before but this is a completely different breed. I really like the concept.

      Delete
  2. Two factor authentication is a good thing, the token you describe is a stronger option as there's been reports of people having their phone account hacked. LINK.

    Given google's support of this method, guess it's time to invest in a similar device myself.

    ReplyDelete
    Replies
    1. The phone as a 2nd factor always seemed weak. But last month I was almost bitten by the Apple 2nd factor. The iPhone was my 2nd factor and when updating the OS on the iPhone you need to authenticate but the phone wasn't functional as a phone. I swapped SIM cards to a friends iPhone so I could receive the SMS code.

      Delete