With the maturing of the internet applications, dual factor authentication becomes a more used approach for protecting identities. traditionally more concerned with identity theft, mail accounts for spamming, now breaking into your cloud accounts to find photo’s seem to be more of a driver. Many (public) saas providers are offering a form of dual factor, like github.com/facebook/twitter/evernote. There is even a website to track progress (https://twofactorauth.org/). One approach I find most advanced is Google, because it is very rich in its self service, configuration and detection. Here is my deconstruction of its features.
Google strong authentication, google calls it 2-Step Verification, can be configured by the user itself. As soon as you have an account, you will be offered additional features to protect your account. To setup up configuration, a wizard is offered to guide you through the process. Next to setting your personal info, there is a separate option security. Besides ways to enable dual factor, google already offers guide some additional features. Obviously there is management of connected apps for oauth/openids.
It also offers settings specifically for security alerts, and overviews of connected devices and listing of security related events. You can view high profile security related actions and access events from devices seperately. I find these features very strong compared to other sites. For google, the Chrome browser is an access point to the universe and in that way devices, like mobiles and tables are similar to your desktop. Your desktop/chrome browser combination is just another device.
The pattern, comparing to some other sites, here is fourfold:
- Allow self service to enable protection of your account
- Allow easier access from apps and services by registration (through oauth)
- Show the different devices, treating desktop/laptop’s similar to mobile devices
- Provide clear overview access events
You can however tell the maturity of a service by the clear separation off access between devices and apps. Preferably treating your browser/laptop combination as just another app/device. It truly has became two dimensions. You see this for google and also evernote. For the latter, there is no browser, but a browser extension (the evernote clipper). Consider for example github.com, also having strong security features, still talks about ‘sessions’. It is considering access still one dimensional, in the traditional “I can login from the webcafe or from home” way.
The authentication itself
This is about various forms of stronger login and means of recovery in case something get lost. Google offers four forms of strong authentication. The wizard is guiding you through the process and you can select either the app based OTP generator mode or the SMS/voice mode. For the app you can download google’s or use alternatives like Authy. Seeding the app is as simple as holding your camera against the QR code, and the app is seeded. The mechanism is such that if you initialize another app, you will render the previous inactive. You could also choose SMS, in that case you will receive the OTP at moment of logging in. If that is not sufficient for you, you can rely on an even stronger form using a Yubikey, a usb based device that needs to be plugged into you laptop or desktop. This serves as a stronger something you own.
Trusted applications are registered once. So first time authentication is strong and after that the app is registered, like for example the Chrome setup with the toolbar. After that only on high risk areas the password is requested once the user enters a high risk are. The OTP based dual factor works on all Google apps and devices. However you might run into situations were your application cannot use the strong authentication setup. For example using Calendars and Contacts in Mail or on your iPhone. For that it offers specific 16 character passwords. These are generated once and should only be used in one use case. Interestingly the web login recognizes these types of passwords, and does not allow you to use those to login on the web. It is therefore a true API token. From the portal these tokens can be managed and revoked.
After setting up strong authentication Google offers, in total, three ways of authentication:
- General two factor login, with authenticator of your liking (SMS/Voice, App or YubiKey) and password
- Trusted devices, password only, you can pull back current, or all at once
- App tokens, passwords generated once for specific use cases
Unless you are running something like Authy you will run into situations were your phone gets lost or were you might accidently wipe your token application (guilty). Not being able to recieve an SMS token or generate one is kinda hard in a strong authentication setup. Obviously it has the well accepted form of printed one time passwords, basically a list of 10 next OTPs. A very strong addition is the fallback to (secondary) SMS in case your primary gets lost. Next to that it allows you to switch methods and re-enroll at any time. Google makes a very strong case for self service, offering as much features as possible.
I consider Google’s authentication to be one of the most advanced authentication mechanisms, truly focussed on usability in a multi device, app centric world. The main theme of the breakdown is self service: in enrolling, recovery, detection and obviously switching. The big difference however between enterprise provisioning and consumer authentication is that the enterprise wants to enroll securely and with certainty that the account arrives safely at the person and remains there. While in the consumer business the account is provided and after that the user wants means that the account remains with the user safely. It trusts users completely to handle this tasks. There is so much to learn for enterprise from the consumerized world.