A few weeks back, Google flipped the switch on two-factor authentication for the masses. While folks traditionally sign into online properties and computing devices using merely a password, two factor authentication adds another layer of defense. The password is something you know (and set), whereas a second factor is typically something only you possess. In this case, it’s rotating numeric codes provided by Google. And many may be familiar with this sort authentication procedure via work (or through E*Trade) using RSA SecurID tokens.
To enable Google’s “2-step verification” you’d hit the relevant link from your Account Settings. As part of the registration process, you identify what sort of mobile device you intend to receive your code on. In my case, it’s the iPhone – and Google kindly provides an Authentication app to handle these duties (see pics, below). So when I sign into Google, I provide my password and now, additionally, whatever current code is displayed.
Thus far, I’m impressed. As someone on Twitter quipped, my Gmail is now more secure than my online banking.
Yet I seem to have hit a snag. Some third party applications just aren’t designed to handle two factor authentication. Google attempts to overcome this by providing unique “Application-specific passwords.” I utilize Google Sync (powered by Microsoft Exchange  ActiveSync) to not only receive Gmail via my iPhone’s native mail client, but also to keep contacts and calendar events current. In theory, I should be able to authenticate using an application-specific password. And, indeed I can. But only for a short period of time… before Google no longer recognizes it as valid. I’m not sure if this has been a temporary glitch on Google’s end or if it’s an issue triggered by signing in from different networks (Verizon vs. various WiFi access points). But I’m hopeful this can be resolved. Because, as much as I support additional security, if even I can’t get to my data it’s of limited value.
Dave,
I’ve had two-factor authentication set up for about a week now. Since I entered the application-specific password for the first time, I haven’t been asked again. Have you had it longer than a week?
-Rich
It was a staggered roll out and I didn’t have access at launch. I noticed Friday or yesterday AM that I could turn it on and did so. So the issues with the application specific password cover the last 24 hours. Two stopped working yesterday, and I didn’t bother generating a third. Before I wrote my post this AM, it was still busted (as I couldn’t email my related iPhone screengrab attachments). BUT sometime after I wrote the post, I noticed password #2 may be working again. Hm. But most definitely glad to hear that it’s working consistently for some folks… as I was ready to turn it all off. Will give it another day or so and see how it goes.
Off-topic, but at least tangential:
Dave, you should do a post on your experience with Google’s new search algorithm tweaks that you’ve tweeted about. If your blog is going down on relevant searches rather than up, that’s scandalous. I know SEO is normally a hush-hush topic, but if Google is making things worse instead of better, that’s worthy of note…
I intend to… but I’m giving it a week or so to shake out, assuming Google is fine tuning the algorithms and perhaps even hearing my heartache. At this point, I’m somewhat demoralized. But we’ve previously dropped for short periods. Perhaps we’ll rebound once again.
I haven’t really crunched the numbers, and a longer period of time will provide more meaningful and conclusive data, but at this point overall traffic looks to be down in the 20% – 30% range. Which is significant and clearly related to a reduction of incoming Google queries.
A Matt Cutts tweet in my direction might indicate we’ve been penalized for previously running paid advertising text links. Wearing all the hats of editor, graphic designer, web master, etc I may not always have the relevant info – perhaps I goofed and this is a belated down ranking. Or maybe our content and topics are just not worthy. Who knows.
In the interim, and probably beyond, I encourage folks to share any content they deem notable on venues like Facebook, Twitter, LinkedIn, etc. I’ve been playing with different widgets to make submission easier, but I obviously need to pick up my pace… and hope folks utilize them.
Interesting results Dave, I haven’t had a problem with any of my application specific password and I have like 5 between Mailplane, Adium (GTalk), Reeder, and a number of others. No ActiveSync though as I use IMAP on the iPhone.
Ben, I guess it’s a bit ironic. Without their ActiveSync implementation, I would have surely moved from the iPhone to Google’s own Android.
I turned two-factor auth on for my google apps account last week. Application-specific passwords are cool but I think I have like 15 of them now.
My Blackberry alone required separate passwords for BIS, gmail app, and google talk. I think latitude in google maps will need it next time I use that too.
It was also a pain to have to put in application passwords everywhere for google chrome sync… Regardless, its pretty awesome to be able to revoke the passwords per application.
As an update, my iPhone has managed to retain its authentication since mid-day yesterday. Not sure what happened that first 24 hours. All these application specific passwords are kind of a pain though. Hm.
I believe people can find out a lot from what you have mentioned
here. The podcasts by Cara Cake talk about lots of related stuff.
Have you ever heard them?