How Do You Enable Better Security? Two Factor Authentication


What is two factor identification?

Typically, we login someplace with an ID and a password. That combination is good everywhere, everyplace, everytime and is often saved on the device. It’s convenient but if someone knows your ID and password, they can login anywhere and get to all your stuff controlled by that account. If it’s something like a Google account, that might include your email, files, calendar, and sites that let you login using your Google credentials.

With two factor identification, logging in on a new  or untrusted device requires that ID and password, plus a code delivered to an independent device.  Even if someone knows your ID and password, they won’t have access to your device.

2-step verification drastically reduces the chances of having the personal information in your Google account stolen by someone else. Why? Because hackers would have to not only get your password and your username, they’d have to get a hold of your phone.

Here’s what I had to do to enable two step authentication on my Google apps account

  • logged in at and went to the account security page at
  • installed the “Google Authenticator App” on my iPhone to receive verification codes
  • set the computer I’m setting this up on as trusted (the default setting). It’s my home desktop and it’s reasonably secure.
  • turned on 2 step verification
  • added backup phones (home phone, wife’s mobile)
  • clicked the button to go forward with creating application specific passwords and to review aplications with access to my Google account — WOW, there are sure a lot of them.
  • at this point, all sorts of unable to login boxes are popping up on things
  • generated and entered app specific passwords for
    • iphone mail
    • ipad mail
    • desktop mail
    • mac mail (had to also enter the password for the calendar app)
    • chrome synch
  • Enabled browser logins to Google services on each device and checked the “good for 30 days” box.

On my account management page,, I can disable all of those verification codes. It would be nice if I could see what codes had been used an deactivate individual devices, but in an emergency situation, I suppose its best to disable any device not marked as trusted.

The total setup time, including taking notes and typing really difficult strings was about 20 minutes. I like to think that my 9th grade touch typing teacher, who didn’t see much promise in me or my attitude, would be very proud of me as I typed those 16 character passwords.

The Google Authenticator is interesting – it works like those RSA keys that present a new code every 30 seconds or so.

Current Version of the Application on iPhone
Current Version of the Application on iPhone

Denial of Service: Oops

I had a Firefox crash yesterday that seems to have corrupted the form completion database and/or some saved cookies.  It’s been no big deal; I just generally have to re-login to a lot of web sites. It was going OK until I got to my bank’s site today to pay some bills.  I know exactly what my password is, because I have to type it in every time I visit, but I’ve long since forgotten my user ID.  It wasn’t in the document in which I record user IDs and password hints.

I tried three or four times with each possible user ID, and after the 3rd or 4th time, I got the "your account has been locked" notice. After doing this for about 20 minutes, I folded and called customer service.  After the usual set of identification questions, I got my user ID.  (Darn!  Yeah, now I remember it).  I asked the person at the other end, a very nice person, what happened to the folks whose IDs I’d been trying.  He said that they’re locked out until they, too, call customer service.

So, if you try to login to your bank and your account is locked, my sincere apologies. 

The bigger issue, of course, is the possibility for someone to do this maliciously.  If I know your bank account user ID, I can lock you out of it by writing a script that tries (and fails) to login and running it every 10 minutes.  Similarly, if your network as a terminal server available, I can lock out any number of users, including the admnistrator, by doing the same thing.  That would be annoying. 

Consider the case,however, if I have access to your system and want to do somethign bad to it.  While I’m in, it would  be a good idea for me to lock the doors behind me, to keep out any admins who might be notified if/when I set offf an alarm.  When setting up access policies, its important to remember that setting a time lock can lock you out while someone else is within, doing something nasty to your system.  Make sure you have a secure back door, and make sure it uses its own key.