New devices and novel data requests do not revoke application-specific passwords which, as the article notes, are anything but specific. Also, Apple's security support is a 24-hour round-trip via an email technician.
http://grkvlt.blogspot.co.uk/2012/08/google-tfa-security-iss...
For better or worse, google two step authentication is primarily to mitigate shared passwords, phishing and kiosk style keyloggers.
The thing that's always annoyed me is the way that Google allows ASPs in some places but not in others, particularly when an application uses OAuth. Consider this:
A 3rd-party app uses OAuth to access your Google account. Great!
You install the app, fire it up, and the first thing the app does is prompts you to authenticate the app. It takes you to Google's OAuth screen to approve the app. This often happens within a popup window in the app, not your actual browser, which means you're not logged into your Google account, so the first thing you're presented with is a Google login form.
Now, this is a popup window with no URL visible, so how do I know that this is actually Google's form on their server? And even if it is, how do I know the app isn't using some embedded JavaScript to sniff my credentials?
Not wanting to take a chance, I head over to my browser and create a new application-specific password to enter into the login form, knowing that I could easily revoke it if I change my mind. I enter the ASP in the app's popup Google login form, and lo and behold I'm greeted with the message "Please enter your account password and not an Application Specific Password here."
Turns out Google returns a message when you're using an application-specific password prompting you to enter your actual password. Now they've set that precedent. Now any app can simply code up a form to look like Googles, throw it in a popup, and put that message in there after the first time you submit the form to make sure they get your account password (of course, doesn't matter for me, because they don't have my second factor, but it would matter for the majority of people, who don't have 2-factor auth setup). If you didn't enter an ASP the first time, you'd just assume you mistyped or mis-pasted your actual password the first time, and enter it again the second time. Now they can be sure they have your actual password.
Of course, all this would have been moot if the ASP was more powerful than the actual password to begin with, but it seems like after Google's fix, this is back to being a problem.
Any app that takes a ASP would otherwise be storing your main account password. Two step is still improving your security posture here - your main credential can't be used without the temporal pin so the ASP is actually much more valuable.
If you're still concerned about a native popup, just don't enter your correct password the first time. If it fails you're probably pretty safe - Phishing style credential captures usually won't pass it through and risk server side anomaly detection.
"- OAuth tokens are created automatically, while ASPs are a thoroughly manual affair"
"- OAuth tokens use a flexible authorization model, and can be restricted to accessing only certain data or services in your account. By contrast, ASPs are — in terms of enforcement — not actually application-specific at all!"
Well, there's your problem. Application Specific Password isn't very specific at all.
For instance, if I make an app-specific password to sync my bookmarks, that password shouldn't provide access to my Gmail or my settings. Why isn't this already a feature?
Even so, you're probably right in the long term.
Is it simply that the way they do it now is easier to create/manage?
Seems like a no-brainer.
1. something you know (password)
2. something you have (phone, yubikey)
3. something you are (biometrics)
With Google's two-factor, logging in requires something you know (password) and something you have (phone). The 10 passwords should be locked somewhere physically safe as a fail-safe.
Two-factor authentication protects against password leaks and brute force password attacks.[0] It now takes two security failures to access your account rather than one.
On a side note, this is why secret questions are worthless as a security measure. Backing up a password with another mental fact is still single factor authentication.
[0]: Unless the attackers were able to attain your fail-safe passwords, but unlikely given the entropy and presumably Google's security.
edit: I was referring to the Google Authenticator App, not sending the codes over SMS. That's imho less secure.
The general point of two factor authentication is that you need physical access to something (phone, token generator, etc), meaning that if somebody across the world knew your password they'd still be unable to cause any damage - or rather, it would take a lot more effort.
None of those connect to device you've had "physical possession in the past". Only the present. Phone calls, SMS and apps are all portable across hardware.
Without application specific passwords it's actually pretty secure. With ASP of course, according to this article, it's no more secure at all. So it looks like ASPs need to be revised/locked down. That doesn't mean that 2-factor security is useless in principle, just that this facet of it is insecure.
This is not at all the conclusion of the article. This isn't a bright-line issue; security exists on a spectrum.
Here are two things worth knowing (that are somewhat covered by the article):
* aside from OAuth, any method of client auth is basically equivalent to SSO (ie, your entire Google account). As noted in the article, this includes app-specific passwords
* SSO is not meant for programmatic access. If you want code to have access to SSO credentials, it's easiest to use some other auth service, and then "upgrade" to SSO (the linked blog post describes one way of doing this) [1]
[0] https://github.com/simon-weber/Unofficial-Google-Music-API
[1] http://nelenkov.blogspot.com/2012/11/sso-using-account-manag...
I don't really understand this sentence...they say that Google (post-fix) no longer enables access to security-specific pages unless you do two factor auth, so doesn't that mean that post-fix you cannot fully take over someone's Google account without two factor auth?
It's making the case that this does represent a "real" vulnerability, even if certain aspects of the behavior were understood and expected by the system designers.
It's nice that they are fixing a couple loopholes, but not sure if it will actually help any.
"2013/02/21: Fix is pushed by Google to prevent ASP-initiated sessions from accessing sensitive account interfaces."
So is that one particular hole describe in the article / blog fixed or not!?
also - 3rd party mailers and xmpp clients.
With that aside I want to make it clear that the ASP aspect of Google Authenticator was bypassed and RFC 6238 (http://tools.ietf.org/html/rfc6238) timecode based two-factor authentication is still as solid as they were when it was written (I had a false sense of urgency to read this when I read the title).
