Monday, July 22, 2013

a look on the Google's two-factor auth

Now that I've been burned and had to enforce two-factor authentication for a private mail account (which obviously I thought it wasn't worth it), I get to look at the implementation options they've included. And I have to say I'm really impressed.

First factor - something you know - your password
Second factor - something you have - the phone or a dongle or a piece of paper. Or an application, as we'll see.

Right ? That we know.

A carefully crafted two-factor authentication which I've only started to use yesterday, being forced to do so ( ha ... ) gives you these options:

1. the mobile phone - receive SMS with the codes.
2. an app on the mobile phone. Google Authenticator. This generates the codes on your mobile, and it's the missing link between the site and you, because it won't involve your mobile operator delivering the SMS messages in due time. They tend to delay SMS messages, specifically when they're overloaded (on Christmas, for example)
3. backup codes. This is the piece of paper on which you write the access keys.
4. backup mobile phone ! You can add your wife's, or your second mobile, should you lose the main device. This looks like you can have the backup dongle receiving the SMS codes.

As a user, I now have:

- the dongle: my first mobile device
- at least one second dongle: my wife's device
- the application running on the first mobile device
- the piece of paper

So yes, they've implemented this geeky method in a smart way.

No comments: