Apple

Google Apps' two-factor authentication provides security boost for Mac and iPhone users

Vincent Danen details how to enable Google Apps two-factor authentication and reap the security benefits it offers for Mac and iPhone users.

One relatively recent feature that Google introduced that really has me nodding in their direction is the two-factor authentication that can be used with Google accounts (including Google Apps accounts). Typically, services require a password, and this password is used by all programs used to access that service. In the case of Google and all the services they provide, that list can be quite long. Also, if you use Google and all its associated services (or even just a handful) that is a lot of information in the cloud that you will want to protect. Hopefully you are using a strong password, and a unique one, but even then... is it enough? Look at the massive PSN debacle -- that is a lot of personal information that is now in the hands of someone you never authorized.

Two-factor authentication is used in a lot of enterprises. It consists of authenticating with two tokens: one you know, and one you don't. The token you know is your password, the one you don't is a random bunch of numbers that changes every 60 seconds (the PIN). This way, if a cracker gets your password they cannot access the service unless they also know the random PIN which is tied to a specific hardware device. With Google, this PIN is generated by an app called Google Authenticator, installed on your phone. And, if your phone is stolen or is lost, as a backup you can still get into your accounts to change your password because when you setup the two-factor authentication service, you can opt to receive a text message of the code or a phone call with a lovely recorded voice speaking the code to you (obviously, choose a phone number that is different from your cell phone).

If you are using Google Apps, the site administrator needs to enable the service. This can be done in the domain management control panel, under the Advanced Tools heading. Under the Authentication section, enable allowing users to turn on two-factor authentication. There is no way to force this (and neither should there be), so each user will need to enable it on their own.

Users can enable two-factor authentication by going to their Settings, then selecting Accounts and clicking the Google Account settings link. When the Google accounts page loads, under the Security section of the page there will be a Using 2-Step Verification link, which will walk them through the process. The process is easy and only takes 10-15 minutes.

When you go to log into your account, you supply your username and password as usual. On the next page, the site will ask for your verification code, which you can get from the Google Authenticator application. Simply input the code, optionally tell it to remember the verification code for that computer/browser for the next 30 days, and click Verify.

Also on this page is the "Application-specific passwords" link, which is where you define random passwords for various applications. Because two-factor authentication does not lend itself well to mail clients or news readers, you can create per-application passwords here and give those passwords to the applications that need them. For instance, in Apple Mail instead of supplying your Google or Google Apps password, you would provide a randomly generated password from this page. Likewise with iChat (for Google Talk accounts) and Reader for Google News (or whichever RSS reader you use).

You can create one password per computer, per application, or a combination thereof. These application-specific passwords are great. If your laptop gets stolen and the thief manages to log into your computer, chances are your mail password is stored in the Keychain and the thief could get to your account without knowing your password (provided the Keychain is not locked and they don't know the password).

Because of the per-application password, if they knew the password to check mail via Apple Mail, they still would not be able to to log into your Google account in a web browser. And managing passwords via the Google accounts configuration site allows you to revoke those passwords (one of the first things you may want to do if you find your phone or laptop is stolen).

Using two-factor authentication with Google applications, on your Mac, couldn't be easier. Google Authenticator is available for Android, iPhone, and BlackBerry so any smart phone can be turned into a token-generating device. And with per-application passwords, you can continue to use your Google accounts on your computer without interruption (other than changing the passwords in each application the first time you enable two-factor authentication).

Some people might find two-factor authentication a nuisance, but let's be honest. How many people have a smart phone that they don't have within easy reach almost all the time? For the minor inconvenience of loading the Authenticator app and setting the whole thing up, the security benefits are amazing. And for those in the enterprise that already use two-factor authentication (via RSA key tokens or Yubikeys, etc.), this is nothing new.

For me, the resulting security increase is well worth the few seconds to look at my phone for the PIN.

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

0 comments

Editor's Picks