Identity Experiences & Ideas: May 2011

Thursday, May 19, 2011

Google Authenticator

Yesterday I sat in on the Interagency Advisory Board meeting. The first topic of conversation was the Google two factor solution which made me think that I should write a brief piece on my experience with it as I have used it for a few months now on my personal Google account.

The widely available two factor solution is based upon an OATH implementation. It supports both HMAC-based (HOTP) and Time-based (TOTP) one-time password algorithms. Today it has two major components - apps including an Android app, a Blackberry app and a IOS app and; a PAM module that can add two factor authentication to PAM-enabled applications. I use the Android app which allows me to use counter or time based OTP. The photo is of the iPad (IOS) app.

Setting up two factor can be a bit of an issue - but only from a time perspective. You need to have the app downloaded so you can get going right away and then you need to think about your applications where you are using your Google identity as your login credential. In some cases these apps are not PAM enabled so you will be generating application specific random passwords for these accounts. For example - on my Apple TV I access my YouTube account but since it is not PAM enabled I generate a random password and then use this to register the account. These random passwords are 16 character passwords generated by the application so changing them as frequently as I change others is not needed and especially since it is YouTube. In my case because of the mix of applications and devices, Gmail on my iPad and on my Android for example, I have 20 apps registered for these random passwords.

In terms of use - the passwords for non-PAM apps are not an issue as they are configured to not require re-entry every time. For the PAM-enabled apps it is as easy as starting up the Google Authenticator app on my phone and I am more likely to have that with me than any other hardware based token. If for some reason I do not have my phone, and I REALLY need to access the app then I have the option of using one of ten, one time use, pre-generated backup codes or I can use voice based OTP where I can have them call my pre-registered number. I have never had to do either of these as I always have my phone.

So far I would say it has been a good experience and I am on the verge of converting my work-related account as well.

Where are things headed? Well from the conversation yesterday it does sound like Google is looking at alternatives for authentication besides the Authenticator app but I will leave that conversation for another day.

- Posted using BlogPress from my iPad

Who I am ....

An interesting thing on a blog about identity .... who is the author?

Well .... I guess it is a case where you want to divulge enough to have people stay interested but not too much as to create an identity issue.

I started in the data communications arena in the earlier part of the '80s. My first foray into security was helping solve an accounting issue in a switch at the German Bundespost. For the next few years after that I applied all those years of math, graph theory and computer science logic to designing data networks for banks and governments around the world.

In the early-mid '90s I was giving the opportunity to get involved with public key technology and have spent the last 20 plus years helping organizations and governments on the technical, application and policy side of "federated" identity. Over the last few years I have continued work on identity but now beyond PKI.

There is so much potential here ... we just need to be logical ... and not just technically logical but also logical in implementation and operational ideas and logical in considering what it is that people want and need.

Check the link in Datapoints below for "More About Me"

Thursday, May 19, 2011

Google Authenticator

Follow Me ... RSS