Google 2 step authentication and android

[rumpleforeskin]

I enabled 2 step authentication using google authenticator for my lastpass master password to increase its security and I like it, its simple to use and on my home trusted computer its practically invisible.

So i thought i would try to use it with my Gmail account, which again works well on a PC but its really difficult with my android apps.

when I try to use the gmail app it now opens my browser and every few days is asking for the verification password which is a pain in the hoop to setup flicking between two mobile browser tabs.

Is there a way to make this more user friendly on the mobile as i would hate to turn it off just to keep my life easier.

Thanks

 

[seepy83]

I don't remember the details of when I first set up 2-step, but I have it running on my gmail account, and the gmail app on my phone never does what you're experiencing.

If I go into my 2-step settings, and click the "manage application-specific passwords" link, I have Android Login Service granted Full Account Access, and I also see that I created an application-specific password for my phone. Like I said, I don't remember the details of what I did when I first configured it, but maybe those settings can get you pointed in the right direction.

 

[rumpleforeskin]

Thanks that was pretty helpful.

I misunderstood what was supposed to happen.
thought i would enter my username then password then be prompted for the unique one off key

but because i was using my old password in an app that could not accept 2 step it was taking me to the g mail website.

I should have entered the unique key as the password directly in the app, now is all working as it should. The is not actually 2 steps in the 2 step when using unique software key :rolleyes

 

[rumpleforeskin]

Now I have learnt how the Application specific password (ASP) system works I'm starting to think it will be less secure to use the 2 step authentication as it will in fact reduce security if you require an ASP for a phone.

This is my logic:

2 step authentication as the name suggests requires 2 things, something you know and something you own.

But because any non browser based phone apps do not have the facility for 2 step authentication you can replace it with an ASP.

The ASP is a 16 random digit code that allows you to log in without the 2nd step of verification.

But the name ASP fools you as its not application specific. You can use this ASP in place of your regular password anywhere on any number of devices and it will bypass the 2nd step. The google guide shows that you should set-up a number of different ASPs for each app, so you could end up with many ASPs.


So my concern is that you may have a primary password that may be longer than 16 chars, but then add several weaker passwords. Also the more passwords you have for the same account the easier it would be to find just one that works. And these weaker passwords do not require the 2nd authentication.

Am i mistaken in my understanding? or is 2 step authentication only stronger if you do not want to use it with ASPs on phones?

If this is the case then would it not be more secure to just use the normal password system but having a password longer than 16 chars and of suitable complexity?

Thoughts?

 

[seepy83]

When you assign an ASP to your phone, you're basically setting it up as a trusted device. Hopefully you have some additional security (password, PIN, or pattern) on your phone that would prevent quick access to your Gmail account or anything else on the phone if it is lost or stolen. Remember that ASPs can be revoked. So, if your phone is lost, you should immediately access your google account settings from a trusted computer (or by using the backup codes on a non-trusted computer that you were given during 2-step setup) and revoke the ASP for your phone.

As for brute-forcing an ASP...I'm not sure what controls (if any) Google has put in place to detect/prevent that from happening. But we're talking about 16 characters here...that (theoretically) would take far too long to crack for it to be a danger.

The ASP system is there for convenience. And you are correct, there is almost always a trade-off between security and convenience. But in the broader view, a google/gmail account with 2-step enabled is absolutely more secure than one that doesn't use it.

 

[rumpleforeskin]

When you assign an ASP to your phone, you're basically setting it up as a trusted device

That was how i thought it was going to work, but I used the same ASP to sign in on my android tablet, which made me think the the ASP could be used by anyone on any machine instead of it making only that machine a trusted machine!

I take you point about the strength of 16 character passwords, a quick online brute force calculator suggests that a 16 character password made of lower case and numbers would take 162458788742456 years to bruteforce. That was at a speed of 1,575,000,000 passwords/second (speed of hashcat running on a single HD 6970)

So for sure the security is still strong, I was just pondering any security reduction from a theoretical standpoint

 

[goobernoodles]

I haven't read any of this thread. Your username is hilarious.

 

[wirednuts]

i tried 2 step, but i found the same thing. it BLOWS when it comes to your android apps and other devices. yeah, you can assign the device, but that only lasts 30 days and you must do it all over again.

truck it. if someone wants to hack in my account then so be it. take it all. ill make visa pay for it. i went back to 1 step.

 

[dawks]

That was how i thought it was going to work, but I used the same ASP to sign in on my android tablet, which made me think the the ASP could be used by anyone on any machine instead of it making only that machine a trusted machine!

I take you point about the strength of 16 character passwords, a quick online brute force calculator suggests that a 16 character password made of lower case and numbers would take 162458788742456 years to bruteforce. That was at a speed of 1,575,000,000 passwords/second (speed of hashcat running on a single HD 6970)

So for sure the security is still strong, I was just pondering any security reduction from a theoretical standpoint

And I believe Google will require a CAPTCHA after 3 or so incorrect attempts, which would slow a brute force down significantly. And I wouldnt be surprised if they limit attempt speed even more further on (1 try every 5 minutes for example).

Also note, while its true an Application Specific Password (ASP) doesnt require the one time auth code, I believe you're limited with what you can do with it. So if you *SOMEHOW* got a hold of one of those ASP's.. you could delete a users email, but you cant change their account settings or password without the actual password and a one-time-code.... And I like that you can revoke those ASP's as well. So if a device is lost/stolen, you just cancel its ASP and move on. You don't have to reset your password across 20 different devices/programs.

 

[freegeeks]

i tried 2 step, but i found the same thing. it BLOWS when it comes to your android apps and other devices. yeah, you can assign the device, but that only lasts 30 days and you must do it all over again.

truck it. if someone wants to hack in my account then so be it. take it all. ill make visa pay for it. i went back to 1 step.

my ASP stay active until I revoke them. Google 2 step authentication is a very good tradeoff between security and convenience. I just setup password for my different devices (smartphone, ipad, ...). If one gets stolen you can just revoke the password and your gmail account is safe on that device. I only see benefits in using 2 step authentication + revocation list and zero drawbacks. I wish paypal would introduce something like this