Thursday, May 19, 2011

Google Authenticator

Yesterday I sat in on the Interagency Advisory Board meeting. The first topic of conversation was the Google two factor solution which made me think that I should write a brief piece on my experience with it as I have used it for a few months now on my personal Google account.


The widely available two factor solution is based upon an OATH implementation. It supports both HMAC-based (HOTP) and Time-based (TOTP) one-time password algorithms. Today it has two major components - apps including an Android app, a Blackberry app and a IOS app and; a PAM module that can add two factor authentication to PAM-enabled applications. I use the Android app which allows me to use counter or time based OTP. The photo is of the iPad (IOS) app.

Setting up two factor can be a bit of an issue - but only from a time perspective. You need to have the app downloaded so you can get going right away and then you need to think about your applications where you are using your Google identity as your login credential. In some cases these apps are not PAM enabled so you will be generating application specific random passwords for these accounts. For example - on my Apple TV I access my YouTube account but since it is not PAM enabled I generate a random password and then use this to register the account. These random passwords are 16 character passwords generated by the application so changing them as frequently as I change others is not needed and especially since it is YouTube. In my case because of the mix of applications and devices, Gmail on my iPad and on my Android for example, I have 20 apps registered for these random passwords.

In terms of use - the passwords for non-PAM apps are not an issue as they are configured to not require re-entry every time. For the PAM-enabled apps it is as easy as starting up the Google Authenticator app on my phone and I am more likely to have that with me than any other hardware based token. If for some reason I do not have my phone, and I REALLY need to access the app then I have the option of using one of ten, one time use, pre-generated backup codes or I can use voice based OTP where I can have them call my pre-registered number. I have never had to do either of these as I always have my phone.

So far I would say it has been a good experience and I am on the verge of converting my work-related account as well.

Where are things headed? Well from the conversation yesterday it does sound like Google is looking at alternatives for authentication besides the Authenticator app but I will leave that conversation for another day.


- Posted using BlogPress from my iPad