Google's 2-step verification horror

Google has released a new security measure to help you protect your ever increasing amount of data stored on their servers. This 2-step authentication means that when you log in to your Google account with your username and password, you will receive a code by SMS message. Only after entering this code you will be able to get to your data.

Even though I don’t have a lot of data on Google’s servers (I hardly ever use Gmail or Google Docs, mainly just Google Reader) I thought that it was a good idea to activate this service – better safe than sorry, right?

Activating 2-step verification

So I went ahead and activated the service. The procedure is fairly easy: First you switch the service on, then you configure your mobile phone number and activate it with the code you receive by SMS. Finally you have the possibility to print out a list of backup verification codes. Google advices you to keep this list in your wallet, which I found very strange: if you loose your wallet, you give the lucky ‘finder’ the possibility to get into your Google account without needing the SMS confirmation.

I immediately tried it out by opening Google Reader, and yes: after I gave my Google credentials I received a SMS message with a new code from Google. They appear to be sending them from the UK, which means that –with the current roaming rates in Europe– they are willing to spend a small fortune on better security. When I entered the verification code I noticed that fortunately there is a possibility to remember the verification on a computer for 30 days. It worked!

External applications

Satisfied I closed the browser Window and went on with other issues. Later that day I opened Reeder on my iPhone to read some news, but got an error. It appears that by activating the 2-step verification all access from external applications is blocked automatically. To re-enable access to your Google account from a third-party application, you will have to generate a special password for that application only:

Some mobile or desktop applications that work outside of a browser aren't yet compatible with 2-step verification. These applications are hard-coded to ask for a username and password, and do not prompt for a verification code. If you want one of these applications to access your Google Account, you must enter an application-specific password, not your Google Account password, when asked for a password.

I went ahead and generated passwords for IMAP access, Reeder for iPhone, FlipBook, Reeder for iPad, Feedly, Google Earth and a bunch of other applications. After generating each password, Google warns you that you will not be able to see the password anymore once you close the screen, so I made sure to configure each application immediately and test it before going on with the next application.

Does it make sense?

After a while I started wondering what the heck I was doing. On one side I had made my account more secure, because whenever I access my account through the browser I have to give the SMS verification code. However, if instead of the browser I access my data through an external application, I can choose from a whole list of valid passwords for my account. API access went from a single username/password combination to a whole bunch of passwords valid for the same username.

I know that Google sees the browser window as the principal interface to their services, and for users who work that way, the 2-step notification process is quite an improvement. However, I see the browser as just one of the many interfaces/applications I use to access my data on Google’s servers. To me it makes no sense that –even though one application increased its security– the security level for all other applications is significantly lowered.

I finally disabled the 2-step notification for my Google account, when I found out that I can’t use Google anymore as my OpenID provider, since I am required to generate a new password for each blog or web –those that require registration– I want to comment on. Too much of a hassle to be functional…

Jeroen Sangers @jeroensangers