A few weeks back, Google flipped the switch on two-factor authentication for the masses. While folks traditionally sign into online properties and computing devices using merely a password, two factor authentication adds another layer of defense. The password is something you know (and set), whereas a second factor is typically something only you possess. In this case, it’s rotating numeric codes provided by Google. And many may be familiar with this sort authentication procedure via work (or through E*Trade) using RSA SecurID tokens.
To enable Google’s “2-step verification” you’d hit the relevant link from your Account Settings. As part of the registration process, you identify what sort of mobile device you intend to receive your code on. In my case, it’s the iPhone – and Google kindly provides an Authentication app to handle these duties (see pics, below). So when I sign into Google, I provide my password and now, additionally, whatever current code is displayed.
Thus far, I’m impressed. As someone on Twitter quipped, my Gmail is now more secure than my online banking.
Yet I seem to have hit a snag. Some third party applications just aren’t designed to handle two factor authentication. Google attempts to overcome this by providing unique “Application-specific passwords.” I utilize Google Sync (powered by Microsoft Exchange ActiveSync) to not only receive Gmail via my iPhone’s native mail client, but also to keep contacts and calendar events current. In theory, I should be able to authenticate using an application-specific password. And, indeed I can. But only for a short period of time… before Google no longer recognizes it as valid. I’m not sure if this has been a temporary glitch on Google’s end or if it’s an issue triggered by signing in from different networks (Verizon vs. various WiFi access points). But I’m hopeful this can be resolved. Because, as much as I support additional security, if even I can’t get to my data it’s of limited value.