[an error occurred while processing this directive]

Helping people with computers... one answer at a time.

I recently enabled two-factor authentication on my Google account. I'll review what two-factor authentication is and how it works.

[an error occurred while processing this directive]

We've been using single-factor authentication - otherwise known as "username/password" - for perhaps as long as there have been computers with accounts to log in to.

Single-factor authentication relies on "something you know" - namely your username and password. Know that and you can be authenticated.

With the recent rash of account theft, multi-factor authentication is becoming more popular. Two-factor adds something else - typically "something you have" - which must be provably present in order for your authentication to succeeed.

In this video excerpt from an Ask Leo! webinar, I'll talk a little about multi-factor authentication and show how it works.

[an error occurred while processing this directive]

View in HD (1280x720)


Two-factor authentication - what is it? In the traditional world that we've gotten used to in the last, gosh, 30, 40 or maybe even longer years, we think of authentication as being something very simple. It's a username and a password. Boiled down even more simply, it's one factor; it's something you know - you know a username and password that gets you in. Anybody who knows that username and password can get into the account that username and password references.

Multi-factor authentication basically says introduce other types of things that are more than just something you know. Typically, they are things like something you 'are'; or something you have. A good example might be fingerprint readers on laptops so in some cases you can configure them so that you can login only with your fingerprint. That's still only one factor. That means that finger identified you and that was enough. Two factor authentication would indicate or would have you login with a password and provide that same fingerprint. Now not everybody has fingerprint readers and it doesn't necessarily make sense in a lot of other context.

So what a couple of companies devised some number of years ago is this concept of a little device, this an example of what I call the Paypal football. Each football is unique and is associated with your account and includes in it or is somehow associated with a master secret encryption key. Using that key, using this device (and devices like it) display a unique, random-looking number every minute; it changes every minute. So, for example, when I took this picture, it displayed 559506; a minute later it was a completely different number; a minute after that, a completely different number. There's no rhyme or reason, just looking at the numbers to be able to predict what the next number is going to be. It's all based on encryption technology.

Now, the Paypal login servers at the other side, they know your account, and they know that same secret key so that they can also do the encrypted math to generate what that number should be. So what that means is that when you login to Paypal, and you've enable this feature, it can then require that you login with your user id, and your password, and the current number that's being displayed by the little Paypal football that's associated with your account. In other words, you have to prove you have the football; you have to prove you are in possession of this thing. Something you know: your username and password; something you have: the Paypal football. Now, I call it a football only because it looks like a football and I think one of the other security folks tends to refer to it that way. There are other devices; I think there's a credit card version of this. They don't look exactly like this. World of Warcraft actually makes one that looks very much like this. Again, all for securing and adding multi-factor authentication to logins.

Now, there's this: Google supports multi-factor authentication. You can enable it on your Gmail account and in doing so, you have the option of installing an application on your Android phone as you can see I've done here and it works exactly the same way. When I login to Google, I have to login with my username, my password and then I have to go grab my phone and type in whatever number is being shown on that phone at that time. And in fact, I'll show you exactly what that looks like just so that the process of using two-factor authentication is clear.

So this would be the standard login: username and password. If you don't have multi-factor turned on, this is all you need to do. I have it turned on so it's asking me to now go to the mobile application which I happen to have sitting here next to me (that's the number that's currently showing on my phone) and now I'm logged in. If I didn't have the phone with me, I wouldn't be able to login. It's another level of security because if somebody stole my password, they wouldn't have my phone so they wouldn't be able to login. Couple of comments on Google's implementation of this: on my desktop computer where I login frequently, and I don't always want to have to deal with this, I have the option and in fact, I think you may have seen it on the login screen before, I have the option of telling Google, 'this computer, it's trusted, don't ask me for another 30 days for this verification code.' Which I think is a great compromise. On my laptop which I may very well take with me from time-to-time, I don't want it to be trusted, I want to assume that someone has stolen my laptop and to ask for that verification code every time. So I do. I have my phone with me pretty much at all times if I'm going out and about with my laptop. The other item that comes up is that there are a number of Google applications or applications that use Google accounts for which you don't have the opportunity to do multi-factor authentication.

For example, I use Thunderbird to download my Google mail using a POP3 client. So what they do, what Google allows you to do is when you set up multi-factor authentication, you also can set up what they call 'application passwords'. These are definitely random (I think they are 12 character strings) that you can then copy and paste into the account configuration for your mail program and that enables the mail program to work without multi-factor authentication. Now if that mail program happens to be on a laptop, doesn't that defeat multi-factor authentication. If they've gotten into your laptop, no, you've already got multi-factor already protecting that. The scenario, the more common scenario is the phone itself which also has a Google mail application on it that has to use a Google app password. The passwords are controlled by your account which means you set up (2, 4, 6...) however many different of these application passwords you want...you would configure the application with those passwords but at the same time you have the opportunity to immediately turn around and disable the password, online, once you've logged into your Google account thereby immediately disabling, for example, my email programs ability to download mail. All-in-all, they've had to compromise a number of different things to make it usable but they have comprised it in such a way that they have not adversely, in fact, impacted the additional security that two-factor authentication gives you. So, that's Google.

I've talked in the past about LastPass as a password management tool. LastPass also allows you to configure it to require multi-factor authentication. If you configure LastPass for multi-factor authentication, which, by the way, works only for Windows at this time, you end up downloading an application called Sesame that you run once to configure. You place that application on a USB device (like a USB thumb drive). Or, in my case, since my phone happens to look like a USB drive, I actually have it on my phone as well.

After configuring Sesame to associate with your account, when you login to LastPass, on a computer that you believe is untrusted, you are then required (as this dialog will show you) to run the Sesame application to prove that you are in possession of that USB thumb drive or that phone. It is something that you have. When you run it, what it does (this is an actual screenshot of the Sesame application as it's being run from a USB thumb drive); you end up generating a one-time password that you then (in my case, I copy it to the clipboard); go back to that login page; paste the one-time password in and authenticate. The bottom line is that it turns out to be another form of multi-factor authentication. In order for me, on my laptop, to login to my LastPass account, I have to have my phone with me and I actually have to have my phone plugged in so that I can treat it as a USB thumb drive and run the Sesame application that's stored on my phone. I've proven that I know my password and username, and I've proven that I have my security device. In my particular case, my phone. That's multi-factor authentication.

Now, much like Google, LastPass also allows for one-time password so that when you, say you've forgotten your device, or you don't have your device, you have an alternative password that you can use to login exactly once. At that point you can go in and reconfigure your account. As you can see in this one, in this diagram, 'If you lost your Sesame device, click here to disable Sesame authentication.' Which seems counter-intuitive I mean if it's that easy to disable, but it's not because then you also have to prove you are the owner of the email account that you have associated with LastPass. The disabling of Sesame authentication is done with an email confirmation. So if someone had stolen or had gotten to your computer, and is trying to login to LastPass, and they're wanting to bypass Sesame multi-factor authentication, they will also have had gained access to your email first. That's a 'chicken and egg' problem by the way if you've got your email password stored in LastPass. They need LastPass to get your email password but they need your email password in order to get access to LastPass. In other words, they're stuck no matter what.

And finally, both Google and LastPass support printed one-time passwords. When you set either of them up, you have the option of printing off a document that contains a number of one-time passwords. You store those in a safe place; something other than a LastPass secure note, but someplace safe that you can get to in a pinch. Some people have actually printed them off and folded them up and placed them in their wallet , for example. The idea is that by having a limited number of one-time passwords with you in a safe place, you have the option of logging into LastPass or Google even if you've lost your authentication device.

So with that, any questions on multi-factor authentication? It took me awhile to get comfortable with it; I did enable it on my Google account and it has not been nearly the annoyance that I expected it would be. And given how much we rely on individual accounts these days. There's a tremendous amount of information associated with my Google account. It makes a lot of sense to put that extra layer of security in place to prevent something that I see reported in questions everyday and that is account theft.

So Mark comments 'If you use LastPass to logon to your email and then don't your email password, you're also fried.' True. You might want to use a different email account for this or, as I said, use one of the one-time passwords that you will have set up when you created the multi-factor authentication with LastPass. And by the way, I think I've skipped over the step...actually, there are two things I skipped over! One is that LastPass, much like Google, will let you say 'This computer is trusted and you don't need two-factor authentication on it.' So on my desktop, I don't do two-factor authentication. I only do it on my laptop because the laptop is portable and could be lost. Second, I missed something with Google. You don't have to use the Android application. Google also gives you the option - remember it's a 6 digit number that you end up having to type in. They will give you the option of getting that number via text message so you could get it on any text message phone. I believe the actually have the option to give it to you via recorded voice. In other words, they will call you on the number that you pre-registered, obviously and a voice will tell you what the 6 digit authentication code is that you can then type in.

That's it on two-factor authentication.

Article C4881 - July 23, 2011 « »

[an error occurred while processing this directive]
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

[an error occurred while processing this directive]
[an error occurred while processing this directive]
Mark J
July 24, 2011 1:38 PM

European banks have had 2 factor authentication since the 90s. They mail you a TAN (Transaction Account Number) list and each number can only be used once to perform a transaction such as a transfer to someone else's account.

This is now being phased out by some banks in favor of something even more secure. The TAN system is flawed in that people often leave their TAN lists in vulnerable places and even write their PIN on the list.

Now many are using such things as Mobil Phone TANs, TAN calculators which generate a one time TAN in various ways, USB dongles etc. This second factor of authorization has made European banking much more advanced than in the US.

With that system it is possible for anybody to easily transfer money to anyone else's bank account without having to set up a payment with their bank.

[an error occurred while processing this directive]
July 26, 2011 8:42 AM

On-line banking thru my bank has started something similar, at least a 'second layer' of so-called security.

I say so-called because it is completely bogus.

I am asked several questions based on 'public records' that they presume I should know the answer to. The questions are so poorly configured as to be IMPOSSIBLE to answer correctly. Example: 'Where does own property? A list of localities follows the question. The person referred to is my former wife. I don't know where she lives let alone where she does/does not own property. The last answer choice is: 'None of the above or you do not know this person.'

And there is the problem. I cannot answer that question correctly.

...and every time I've been asked the question, my best guess answer (the last choice noted above) is wrong. The result is I am locked out of my account. I then have to call the bank, press this number, that number, some other number on the phone...then wait to talk to an agent.

Once, I called them mid morning PDT and got a recording (after pressing all the phone buttons to GET to 'on-line banking) telling me they were CLOSED, then I was told the 'normal hours' they were open. Of course, I was calling smack dab ing the MIDDLE of that timeframe.

My point is this: While attempting to increase security for banking functions is commendable, using functions that are impossible to navigate correctly benefits absolutely no one. ALL it amounts to is being a pain in the buttocks.

My reaction: you need a new bank. This one clearly doesn't "get" security.

[an error occurred while processing this directive]
Jim C
July 26, 2011 2:23 PM

One company I worked for used a bingo card style remote log-in authentication system.

When you join you were provided a randomly assigned matrix that you printed and placed in your wallet, etc.

During log-in you are given 3-pairs of characters: A3, G5, C9. Within a time frame, you look-up and enter the letters that appear at the row/column intersections to gain access.

[an error occurred while processing this directive]
Glenn P.
July 27, 2011 6:29 PM

If you use PayPal, you can, for a price, buy a perfectly typical "two-factor" system: a PayPal Security Key. Press the button on this, and it generates a number, presumably based on the current time, which you must enter along with your password when logging into PayPal for extra security.

Wells Fargo offers a similar service, but it's only used for rare, high-risk operations.

Perhaps the commonest and simplest (and in my opinion by far the weakest) of the "two-factor", "something-you-have" systems is simply the Card Verification Value you're forced to enter during many online credit card transactions. This three-digit number is listed on the back of your credit card; presumably, its function is to "prove" that you actually posess the card (so "that's how you obtained the number"). The reason I see this system as fallacious is easy enough to see: First, it only changes when the expiration date changes (and is therefore valid for just as long)! Second (and far more importantly), since the same processes by which a thief -- online or offline -- can extract your credit card number can presumably extract your CVV as well, I personally don't put too much value in the CVV!

The Paypal security key is featured in the video.

[an error occurred while processing this directive]
Glenn P.
July 29, 2011 4:53 AM

And, to my profound annoyance, I have an errata for the preceding:

The C128 has a speed of 2Mhz, not 1Hz (my brain was a tad fuzzy when I wrote that!). The C64 is only 1Mhz.

And note that I say Mhz, and not Ghz! Ye gads!      :)

[an error occurred while processing this directive]
May 28, 2012 6:52 AM

Seems like many organizations are still struggling with what method is best suited to add the appropriate additional layer of authentication for access and transaction verification without unreasonable complexity. I've noticed many of the global Cloud providers, Banks email, social media, etc... are moving to the use of a telephone (mobile or other) as a form of a token where the user is asked to telesign into their account by entering a one-time PIN code which is delivered to your phone via SMS or voice. Or if you don't want to do this every single time, some offer the option to designate your smartphone, PC, or tablet as a trusted device and they will allow you to enter without the text code. Should an attempt to login from an unrecognized device happen, it would not be allowed.

[an error occurred while processing this directive]
March 21, 2013 6:31 PM

hi I'm Alex, I've read your transcript about Two-Factor Authentication. Two-Factor Authentication is more secure than single factor , but do you feel that it's a bit of complex, each time when you login , you have to input your username/password/the number . Too much input is boring....

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.

[an error occurred while processing this directive]
[an error occurred while processing this directive]