A few months back Google introduced "2-step
for all Google accounts. This amounted to multi-factor authentication
(something you know (password) and something you have (token)) for all
web-based Google applications. Cool, right? They created an app for
the Android, I-Phone, and Blackberry devices that acted like a token and
if you don't have one of these devices Google can just send you a code
via a text message for you to use to login. Okay so far?
Up until this point I'd say that Google has done a pretty good job on
this implementation. Of course we haven't included those users that
access their Google accounts via a third-party program (Thunderbird for
email, their Android device, maybe some plug-in for Blogger, etc).
These programs don't have a mechanism for logging in with multi-factor
authentication. Google thought about this and created application
that you can use for a program to gain access without using a token.
The passwords appear to be sixteen randomly generated numbers and
letters and cannot be viewed after they have been viewed that first
This is an interesting concept. Essentially you have many keys that now
fit the same lock. Loose control of one of those keys and you can
simply nullify the key remotely. So far so good? Well, what you have
also done is increase the number of keys that can get access to your
system. If a brute force attack were done against a Google account
before 2-step verification was enacted the security was up to the user's
password strength. Now an attacker has multiple chances to gain access
to the same lock because there are many more keys available.
I would like to point out that sixteen-character passwords are a lot
better than most people's passwords which average eight characters or
less. But is having more
keys to the lock (and knowing characteristics about that key) more of a
security problem that what is being used without the 2-step
verification? I guess time will tell. I would like to point out that I
don't have a better solution to the third-party application issue.
Perhaps some sort of machine readable token?