GAE and OAuth 2 in the 2FA world

 General  No Responses »
Oct 302014
 

I’ve been try­ing out Google App Engine, for which I signed up with the Google account where I just enabled 2FA. Of course, that means chan­ging the way I update the uploaded tri­al applic­a­tion; the stand­ard Google pass­word has to give way to either a spe­cif­ic applic­a­tion-based pass­word, or OAu­th 2. OAu­th 2 is obvi­ously (to me) the bet­ter way to go.

The doc­u­ment­a­tion is reas­on­ably straight-for­ward. It even works as doc­u­mented, assum­ing you’re signed in with the right Google account on your default browser. My work­flow is a little dif­fer­ent — my main browser (Fire­fox) is signed into my main Google account, and I sign into my oth­er Google account (which I’m using for this devel­op­ment pro­ject) on Chrome. Copy­ing the URL from Fire­fox to Chrome to allow the appcfg applic­a­tion access to that Google account worked; it’s refresh­ing to see. I get tired of web applic­a­tions that use some hid­den JavaS­cript magic and give you non­sensic­al res­ults if you copy a URL from one browser to another.

There’s some­thing appeal­ing about OAu­th 2, even if it appears a little too magic­al at times (a bit like git; when it works it’s magic­al, when it does­n’t, good luck!)

2FA, the aftermath

 Identity and Privacy, Technology  8 Responses »
Oct 272014
 

Two-factor authen­tic­a­tion is gen­er­ally seen as a good idea; there’s a cer­tain amount of hand-wringing over the fact that more people don’t turn it on. The prob­lem is, it’s one of those things where you sign up for dis­rup­tion over the next few days, for uncer­tain reward. The reward is uncer­tain because you can nev­er tell wheth­er turn­ing on two-factor authen­tic­a­tion stopped someone hack­ing your account or not, just like you can­’t tell wheth­er hav­ing an alarm com­pany sign out­side your house dis­suades someone from break­ing into it. My main email account has been on 2FA for ages, but I decided to add it to one of my sec­ond­ary accounts as well, giv­en that lots of people seem to mis­takenly use that email instead of their own.

Tim sug­ges­ted I used the authen­tic­at­or app for my Google account 2FA, instead of using the SMS sys­tem. Just a hint: set it up while you still have access to your text mes­sages since SMS is used for the boot­strap­ping authen­tic­a­tion. You need to sign up for Google 2FA in the first place ‘on a com­puter’ (not spe­cified wheth­er a tab­let is suf­fi­cient? I used the desktop). You are sent an SMS to authen­tic­ate your­self, and then you get anoth­er one when you want to authen­tic­ate the Authen­tic­at­or app. After that, you don’t need your SMS sys­tem, as long as you have the device with the Authen­tic­at­or app on it.

But then there are the oth­er apps, which now need applic­a­tion-spe­cif­ic gen­er­ated pass­words. Adi­um for Google Talk, for example, or email with Thun­der­bird. Set­ting each one up does­n’t take long, but I’m sure some time in the future I will have for­got­ten and be won­der­ing why I can­’t log in with a val­id password.

And I under­stand what’s going on, more or less, and think the short-term hassles are worth it. There are lots of people who don’t have a men­tal mod­el of pass­words or authen­tic­a­tion, who see only the pain and not the gain (since the gain is only in the absence of a poten­tial future pain). Busi­nesses are sup­posedly imple­ment­ing 2FA fairly rap­idly, but I’d be sur­prised if people in gen­er­al were out­fit­ting their per­son­al accounts with 2FA at any­thing like the same rate. Mind you, I also sus­pect those sur­veys apply mostly to big­ger com­pan­ies in par­tic­u­lar indus­tries; anec­dot­al evid­ence I’ve heard points to a lower real adop­tion rate.

/* ]]> */