A couple of weeks ago, we brought to your attention the newly released two-factor authentication that Google rolled out for all of its web-based products (Gmail, Google Docs, Google Calendar, etc.). So now that it’s been out for a few weeks, and it’s finally had a chance to make its rounds to everyone’s accounts, let’s take a step back and see how it actually works.

We’ve talked about the importance of two-factor authentication in the past, and even a few other areas where it’s implemented.

Google did an excellent job at throwing together some tutorials on how to set-up everything and ensure your experience is pleasant. I would go into a detailed tutorial on all of this myself, but really I doubt I could do a better job than they did. But for those who just wanted a quick refresher, here goes. You can also read a fairly straight-forward take on everything directly from Google themselves and learn how it works.

  1. Setup
  2. Signing in with verification codes
  3. Signing in using application-specific passwords


Go to your Accounts settings page and look for the Using 2-step verification link. If you have the link, click it and start the setup process.

If you do not see the link and you are a Google Apps user, you might have to access the 2-step verification setup through a special URL. It is also possible that your domain administrator has not yet set it up for your organization. Check with your domain administrator to find out.

Once you have it enabled you’ll want to choose your primary form of contact in order to determine your verification code. If you have a “smart device” you can download an app for it which will provide an RSA key generator and generate random verification codes directly on your device.

Depending on what flavor of OS you have on your device, you’ll need to grab it from a different location.

  • Android – Search for Google Authenticator from the Marketplace, or install it remotely
  • iThings (iPhone, iPod Touch, iPad) – Search for Google Authenticator in the App Store.
  • BlackBerry – Browse to http://m.google.com/authenticator from your device to download and install.
  • WinMo / Win Phone 7 – Sorry, Google simply doesn’t love you yet, but you can still have the codes sent to you via SMS or listen to a voice message. This can be found on the Setup Page.

Signing in with verification codes

Once you have the Google Authenticator setup (or enabled SMS / voice messaging, again sorry WinMo guys, I feel your pain), you’re ready to roll with two-factor authentication. Once the set-up is complete, you’ll be logged out automatically. Go to login again, and suddenly you’re not required to enter a verification code. Welcome to the second factor!

These codes are generated every 30 seconds by the Google Authenticator using one-time passcodes, which are generated using open standards developed by the Initiative for Open Authentication (OATH) (which is unrelated to OAuth). These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm currently in draft.

The applications support:

  • Multiple accounts
  • Support for 30-second TOTP codes
  • Support for counter-based HOTP codes
  • Manual key entry of RFC 3548 base32 key strings

Signing in using application-specific passwords

Great, now you’ve added a 2nd factor to your authentication (something you HAVE). But what about all the other areas where you interact with your Google Account? Perhaps you use GTalk, or access your email via a POP/IMAP. Well, Google has thought of that as well, and I personally like the way they implemented this.

Google has implemented a per-application password generation process that links a randomly generated password to your Google account. So what you do is generate a password, add a label associating what application or service you’ll be using it for (so that you can track it later), and then you plug that password into the application or service where you normally would have used your standard Google account password. The key here is utilizing your password management of the app or tool where you’re using this. You’d mostly want to enable the “remember my password” on these tools, as most of you probably already do. The reason I think this is a little safer is that you can now remotely wipe those passwords.

You have the ability to revoke passwords from your account settings page on Google. So let’s say you access your Gmail from your laptop through Thunderbird. Your laptop is now lost or stolen. Along with other measures you should have already taken to protect your data, you can now simply revoke the password you’ve assigned to Thunderbird, and it has now just lost access to your email.

You do need to be careful, though, as I found out already; when you generate the passwords for your apps, you only have one shot of viewing the password. Once you click the “hide” button, it’s gone forever, or at least out of sight forever. It’s a password generator, not manager. So now I actually have two different passwords for my Thunderbird access; one for incoming mail, and one for outgoing mail (SMTP). As a bonus, it provides a little extra security as well.

The random passwords that are generated consist of 16 characters and utilize lowercase letters and numbers, so they’re complex enough to resist most brute force attacks.


So there you have it. If you’re a business utilizing Google Apps, or an entrepreneur using Google as your email and document repository, I’d seriously consider enabling the two-factor authentication that Google has rolled out.

But WHY should you enable this, you might ask? Well, consider the scenario where you’ve used strong passwords, you’ve ensured that you haven’t reused the same password, and you’ve done everything to protect yourself. You’re still limited to a single point of failure. No matter how paranoid secure you are, the PASSWORD is still your weakest link. Key loggers, network sniffers, or just someone eaves-dropping is all it takes. If that one item is out in the open, then you’re doomed. But, add now a 2nd form of authentication, via something you have, along with something you know. You know your password, and now you also have something–whether that be a digital certificate in the form of secure tokens, or in this scenario a randomly-generated code that is only available on your device (and for a limited time, at that). So, not only would someone need to know your password, they’d need to have access to your phone (which I hope you’re also protecting with a password, swipe-pattern, or pin).

And let’s not forget the added bonus that Google is offering with individual application password generation, and the ability to remotely revoke those passwords. It’s like getting your cake and being able to eat it too!

5 thoughts on “Google’s Two-Factor Authentication – Revisited

  1. Jason Zhao says:

    I have a question, if someone already knows your regular password, why can’t they just also install google authenticator on their own android phone and generate the OTP from their phone?

  2. Tim says:

    If you’d have any suspicion at all that your password is already compromised, then I would change it right before enabling two-factor authentication. This is probably a good practice in general along with using rotating passwords (change them every 90 days or so). This person would also need to sync their Android device with your account in order for the OTP Authenticator to install as well.

    Though, since you mention it, this would be a devious way to lock someone out of their account, by enabling two-factor without their knowledge, but at this point the number of notifications and alerts that are sent in conjunction would surely tip someone off, and to cover those tracks, your account would already be completely owned.

  3. Jason Zhao says:

    Thanks for the reply. My gmail password was stolen by someone due to I lost my flash drive that contained all my passwords. I was just wondering if OTP will protect me in that scenario when someone already know my regular password, I guess it will not?

  4. Tim says:

    @Jason – As I said, if you feel you’ve already been compromised, changing all your passwords should be the first thing you do. Once this is done, and two-factor is enabled; then you’d require the new password AND the verification code from the OTP app. So any old passwords would be useless at that point. Even knowing your new password, they’d still require the OTP app in order to access your account and activate the OTP app on their phone.

    Your scenario does prove why enabling two-factor authentication is important, you’re no longer limited to a single point of failure.

    Hope that clears things up a bit.

Comments are closed.