Saturday, June 4, 2011

Google does Two-Factor Authentication, and so do I

So, Google has rolled out their version of Two Factor Authentication, requiring you to use your phone to generate a time-based One Time Pad (TOTP) code in order to log into your account.  I like it.  It's good they took the initiative even for free e-mail accounts.  I do have several criticisms, mostly with the draft doc of TOTP, but I will post those another time, as they aren't show-stoppers for me.

The idea is: you can't log into your account without an additional pin or code generated from something that isn't on the login page, it has to come from some other device in your possession, which is unique to you.  This follows the mantra "Something you are [user ID], something you know [password or passphrase], and something you have [your phone, smart-card, or other token generating device]."  This makes the account more secure.  Banks use this same approach to keep online accounts secure, World of WarCraft has its own variant, and there are a few others.

Honestly, I wish more providers did this (I'm looking at YOU FaceBook!).

The Google Authenticator app is meant for Android devices, iDevices (iPhone/iPod etc), and Blackberry devices that have cameras, although you can manually enter the info if the device can't read a QR barcode that is generated when you set up Two-Factor Authentication. 

During activation of the Two-Factor process, an 80-bit random number is created at that time and made part of your account.  This is needed to generate the TOTP codes.  It's this 80-bit key that makes your Authenticator unique. 

<side note>
Google also prevents any other device or service from logging into to any Google service!  Now what?

For every device that you want to authorize, you generate a unique password that is completely random, and Base32 encoded so that all you have to enter are lower case letters and numbers.  This becomes your "password".  So your iDevice now has a different password from your Android, from your Blackberry, from your... whatever other thing logs into Google.  Also if that... thing... gets lost, you can revoke the password for JUST THAT ONE THING!  GENIUS!  Now you don't have to change every password you own if one gets compromised!
</side note>

Sometimes, though, you may want to log in to Google and may not have your [insert device here] handy in order to get your TOTP code.  This is one criticism I have, but it's more of an annoyance.

Enter my GoogleAuthCLONE project for Windows!

Now you can securely have your accounts stored in Windows and generate the codes when you need them without having to reach for your [device].  This can also READ barcode image files (like a bmp, jpg, etc, one barcode per file).  That way if you screen cap the setup process with Google, you can come back to this program and just read the barcode to prevent "fat fingering" your information. 

Also, as you can see in the pic, you can generate barcodes that your [device] can read if it has a camera and the Google Authenticator app.  This way if you have all your accounts in this program, and your [device] meets some terrible event (theft, data wipe, bad custom ROM install, etc.), you can re-enter all your accounts without having to reset every single Google account in the process.  In the case of theft, though, reconfiguring your accounts might be a better course of action.  All accounts are stored behind a good password (as enforced by the program) and encrypted on disk using the ThreeFish algorithm which is part of the Skein hash algorithm

Complexity is enforced by requiring a length of at least 8 characters, 1 number, 1 special character, AND upper and lower case letters.

Get it from the CodePlex page, and if you have problems with it, comment there or below this post.  This is released under the Apache 2.0 License which is spelled out on the CodePlex page.  The original Authenticator program developed by the Google dev team was released under the same license. My work was inspired by their program, but it is not a derived work.

[Disclosure:  I wrote the .NET implementation of Skein/ThreeFish that is being used here but I was not one of the original team members that created Skein and ThreeFish.  I figured this was a good real-world example of its use.  Eventually, I might add Skein to the list of available HMAC algorithms used to generate the TOTP's, which would be, unfortunately, incompatible with the Google version.  I'm also using a 3rd party toolkit for the barcodes.]


1 comment:

  1. EDIT: I've since dropped the Skein encryption and am using pure .NET AES encryption because the Skein project moved into a pure 64-BIT environment, and I wanted the AuthenticatorCLONE to be 32- and 64-bit. I've also changed the interface a bit to provide more user feedback.