Helping people with computers... one answer at a time.
I recently enabled two-factor authentication on my Google account. I'll review what two-factor authentication is and how it works.
We've been using single-factor authentication - otherwise known as "username/password" - for perhaps as long as there have been computers with accounts to log in to.
Single-factor authentication relies on "something you know" - namely your username and password. Know that and you can be authenticated.
With the recent rash of account theft, multi-factor authentication is becoming more popular. Two-factor adds something else - typically "something you have" - which must be provably present in order for your authentication to succeeed.
In this video excerpt from an Ask Leo! webinar, I'll talk a little about multi-factor authentication and show how it works.
Download the video: two-factor-authentication.mp4 (36M).
Two-factor authentication - what is it? In the traditional world that we've gotten used to in the last, gosh, 30, 40 or maybe even longer years, we think of authentication as being something very simple. It's a username and a password. Boiled down even more simply, it's one factor; it's something you know - you know a username and password that gets you in. Anybody who knows that username and password can get into the account that username and password references.
Multi-factor authentication basically says introduce other types of things that are more than just something you know. Typically, they are things like something you 'are'; or something you have. A good example might be fingerprint readers on laptops so in some cases you can configure them so that you can login only with your fingerprint. That's still only one factor. That means that finger identified you and that was enough. Two factor authentication would indicate or would have you login with a password and provide that same fingerprint. Now not everybody has fingerprint readers and it doesn't necessarily make sense in a lot of other context.
So what a couple of companies devised some number of years ago is this concept of a little device, this an example of what I call the Paypal football. Each football is unique and is associated with your account and includes in it or is somehow associated with a master secret encryption key. Using that key, using this device (and devices like it) display a unique, random-looking number every minute; it changes every minute. So, for example, when I took this picture, it displayed 559506; a minute later it was a completely different number; a minute after that, a completely different number. There's no rhyme or reason, just looking at the numbers to be able to predict what the next number is going to be. It's all based on encryption technology.
Now, the Paypal login servers at the other side, they know your account, and they know that same secret key so that they can also do the encrypted math to generate what that number should be. So what that means is that when you login to Paypal, and you've enable this feature, it can then require that you login with your user id, and your password, and the current number that's being displayed by the little Paypal football that's associated with your account. In other words, you have to prove you have the football; you have to prove you are in possession of this thing. Something you know: your username and password; something you have: the Paypal football. Now, I call it a football only because it looks like a football and I think one of the other security folks tends to refer to it that way. There are other devices; I think there's a credit card version of this. They don't look exactly like this. World of Warcraft actually makes one that looks very much like this. Again, all for securing and adding multi-factor authentication to logins.
Now, there's this: Google supports multi-factor authentication. You can enable it on your Gmail account and in doing so, you have the option of installing an application on your Android phone as you can see I've done here and it works exactly the same way. When I login to Google, I have to login with my username, my password and then I have to go grab my phone and type in whatever number is being shown on that phone at that time. And in fact, I'll show you exactly what that looks like just so that the process of using two-factor authentication is clear.
So this would be the standard login: username and password. If you don't have multi-factor turned on, this is all you need to do. I have it turned on so it's asking me to now go to the mobile application which I happen to have sitting here next to me (that's the number that's currently showing on my phone) and now I'm logged in. If I didn't have the phone with me, I wouldn't be able to login. It's another level of security because if somebody stole my password, they wouldn't have my phone so they wouldn't be able to login. Couple of comments on Google's implementation of this: on my desktop computer where I login frequently, and I don't always want to have to deal with this, I have the option and in fact, I think you may have seen it on the login screen before, I have the option of telling Google, 'this computer, it's trusted, don't ask me for another 30 days for this verification code.' Which I think is a great compromise. On my laptop which I may very well take with me from time-to-time, I don't want it to be trusted, I want to assume that someone has stolen my laptop and to ask for that verification code every time. So I do. I have my phone with me pretty much at all times if I'm going out and about with my laptop. The other item that comes up is that there are a number of Google applications or applications that use Google accounts for which you don't have the opportunity to do multi-factor authentication.
For example, I use Thunderbird to download my Google mail using a POP3 client. So what they do, what Google allows you to do is when you set up multi-factor authentication, you also can set up what they call 'application passwords'. These are definitely random (I think they are 12 character strings) that you can then copy and paste into the account configuration for your mail program and that enables the mail program to work without multi-factor authentication. Now if that mail program happens to be on a laptop, doesn't that defeat multi-factor authentication. If they've gotten into your laptop, no, you've already got multi-factor already protecting that. The scenario, the more common scenario is the phone itself which also has a Google mail application on it that has to use a Google app password. The passwords are controlled by your account which means you set up (2, 4, 6...) however many different of these application passwords you want...you would configure the application with those passwords but at the same time you have the opportunity to immediately turn around and disable the password, online, once you've logged into your Google account thereby immediately disabling, for example, my email programs ability to download mail. All-in-all, they've had to compromise a number of different things to make it usable but they have comprised it in such a way that they have not adversely, in fact, impacted the additional security that two-factor authentication gives you. So, that's Google.
I've talked in the past about LastPass as a password management tool. LastPass also allows you to configure it to require multi-factor authentication. If you configure LastPass for multi-factor authentication, which, by the way, works only for Windows at this time, you end up downloading an application called Sesame that you run once to configure. You place that application on a USB device (like a USB thumb drive). Or, in my case, since my phone happens to look like a USB drive, I actually have it on my phone as well.
After configuring Sesame to associate with your account, when you login to LastPass, on a computer that you believe is untrusted, you are then required (as this dialog will show you) to run the Sesame application to prove that you are in possession of that USB thumb drive or that phone. It is something that you have. When you run it, what it does (this is an actual screenshot of the Sesame application as it's being run from a USB thumb drive); you end up generating a one-time password that you then (in my case, I copy it to the clipboard); go back to that login page; paste the one-time password in and authenticate. The bottom line is that it turns out to be another form of multi-factor authentication. In order for me, on my laptop, to login to my LastPass account, I have to have my phone with me and I actually have to have my phone plugged in so that I can treat it as a USB thumb drive and run the Sesame application that's stored on my phone. I've proven that I know my password and username, and I've proven that I have my security device. In my particular case, my phone. That's multi-factor authentication.
Now, much like Google, LastPass also allows for one-time password so that when you, say you've forgotten your device, or you don't have your device, you have an alternative password that you can use to login exactly once. At that point you can go in and reconfigure your account. As you can see in this one, in this diagram, 'If you lost your Sesame device, click here to disable Sesame authentication.' Which seems counter-intuitive I mean if it's that easy to disable, but it's not because then you also have to prove you are the owner of the email account that you have associated with LastPass. The disabling of Sesame authentication is done with an email confirmation. So if someone had stolen or had gotten to your computer, and is trying to login to LastPass, and they're wanting to bypass Sesame multi-factor authentication, they will also have had gained access to your email first. That's a 'chicken and egg' problem by the way if you've got your email password stored in LastPass. They need LastPass to get your email password but they need your email password in order to get access to LastPass. In other words, they're stuck no matter what.
And finally, both Google and LastPass support printed one-time passwords. When you set either of them up, you have the option of printing off a document that contains a number of one-time passwords. You store those in a safe place; something other than a LastPass secure note, but someplace safe that you can get to in a pinch. Some people have actually printed them off and folded them up and placed them in their wallet , for example. The idea is that by having a limited number of one-time passwords with you in a safe place, you have the option of logging into LastPass or Google even if you've lost your authentication device.
So with that, any questions on multi-factor authentication? It took me awhile to get comfortable with it; I did enable it on my Google account and it has not been nearly the annoyance that I expected it would be. And given how much we rely on individual accounts these days. There's a tremendous amount of information associated with my Google account. It makes a lot of sense to put that extra layer of security in place to prevent something that I see reported in questions everyday and that is account theft.
So Mark comments 'If you use LastPass to logon to your email and then don't your email password, you're also fried.' True. You might want to use a different email account for this or, as I said, use one of the one-time passwords that you will have set up when you created the multi-factor authentication with LastPass. And by the way, I think I've skipped over the step...actually, there are two things I skipped over! One is that LastPass, much like Google, will let you say 'This computer is trusted and you don't need two-factor authentication on it.' So on my desktop, I don't do two-factor authentication. I only do it on my laptop because the laptop is portable and could be lost. Second, I missed something with Google. You don't have to use the Android application. Google also gives you the option - remember it's a 6 digit number that you end up having to type in. They will give you the option of getting that number via text message so you could get it on any text message phone. I believe the actually have the option to give it to you via recorded voice. In other words, they will call you on the number that you pre-registered, obviously and a voice will tell you what the 6 digit authentication code is that you can then type in.
That's it on two-factor authentication.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.