Monday, October 3, 2011

Google 2-Step Verification Is Not Two-Factor Authentication

Earlier this year, Google made the announcement that 2-step verification is rolled out to all Google accounts.  It requires the the user to provide one-time password (OTP) after entering the memorized password.  One way to generate the OTP is via the mobile app Google Authenticator from a smart phone, which works very similar to two-factor authentication devices used by VeriSign VIP, RSA SecureID, and Yubikey.  But there are a few things that make the OTP for Google accounts different from these two-factor authentication providers.

The first thing that we notice is that Google has made its OTP generation algorithm open-source, which is computed by synchronized time.  Although the configuration user interface makes it a bit difficult to retrieve the key after the user initially sets up 2-step verification, the key itself is still available.  Especially when the user has printed out the QR code (or simply instructed the web page to output the key string when configuring for a camera-less smart phone such as BlackBerry).  One can scan the QR code again to get the key and re-load it on more than one device.  I, for example, have managed to enable Google Authenticator on many different devices (one BlackBerry device and two Android devices) for my own convenience.  So this ability fundamentally weakens "the second factor," which traditionally is something you own, in contrast to the password, which is something you know.  One can argue, if you have multiple devices that can generate the same OTP, it is less likely that you can be sure that you have possession to all of them at all time.

Think about it, when you can write the key down or print the QR code out and later re-scan it, the OTP actually does not represent something that you owe, but another thing that you know about.  So if a key logger can steal your password, another malware may steal the key to the OTP if you print the QR code into something like a PDF file, or store the key in a text file.  With the published algorithm for generating the OTP, this method of the 2-step verification is really a two-password scheme.

Furthermore, with a single-password mechanism, the server should store the password as a salted one-way hash (neither as plain text nor as un-salted hash).  In the event of internal attack, we have reasonable assurance that even if the master user database were to be breached, hackers would not easily extract the password from the hash.  But it would be a totally different scenario with the OTP key, as Google must be able to decrypt it (if it is encrypted) from the user identity store to compute the OTP value to compare with user's submission.  In some aspect, it would be harder for Google to protect this key than it would for the user password from internal attack.  Theoretically speaking, it requires Google and users to raises the barrier to guard the OTP key.

It also makes Google the sole target for hackers as it must maintain both the password and the OTP key.  In the case of Yubikey or VeriSign VIP, at least the key is stored by a third-party.  We can only imagine that Google does this to lower the cost of providing more security without transferring the cost payable to such a third-party to consumers.

Don't get me wrong, even with these implications, 2-step verification makes account hacking a lot more difficult, as brute-force attack would introduce at least six digits to the existing password, making the attack space much bigger.  Aside from that, the initial login process requires at least two HTTP requests to Google's servers, which tremendously slows down the rate of attacks that these hacks can achieve.

In conclusion, if you really want to use the most secure two-factor authentication, your only choice is not to use the Google Authenticator app, but activate 2-step verification via SMS.  You also want to make sure that you provide a real mobile number to set up the SMS number, not using services that can relay SMS messages to other devices, which probably excludes Sprint devices that are linked to Google Voice.  This is the only way to ensure that you would have a single device to receive the authentication code.  However, there is other issues with the SMS mechanism, such as its failure to work when the phone is not in range of any cell towers, or when the carrier has problem that delays the SMS delivery.  Most importantly, you pay the usurious SMS rate for every OTP you receive, if you do not already have the unlimited SMS plan, which is equally exorbitant.