Being slightly obsessed with security, I was delighted to discover that two factor-authentication (OTP) using Google Authenticator client is not restricted to Google applications, but is fully standardized and as such can be implemented without dependency on Google services on any system. There is code (off course varying in quality and scope) available for PHP, .NET, Java and Python (and I’m sure there are others).
As you might expect after reading the title, there is a great Google Authenticator WordPress plugin which I installed in 5 minutes time earlier today. For the Drupal-heads; Antwerp-based Attiks have a module that implements Google Authenticator OTP which looks worth checking out as well (and I’m interested in your experiences with it, actually).
2-step
Now you can have my Facebook password as well!
It’s been almost a year since I volunteered to give my readers my Google password, after enabling 2-step verification that is. I ended the blogpost on that topic with
And now off to Facebook security settings, to enable login notifications & approvals.
And although I did activate “login notifications” at that point, I did not enable approvals (for reasons I don’t remember, maybe I was just being lazy).
Fast-forward to yesterday evening, when I received a mail from Facebook that stated that my account was temporarily locked because my is was logged into from a location I had never used before. I immediately changed my password and finally enabled “login approvals” this morning as well. “Approvals” sends a security code via SMS when logging in from an unknown location, which you’ll have to enter before effectively logging in. I was pleasantly surprised to see Facebook added a Google Authenticator-like code generator to their Android and iOS apps that you can use to generate a security code as well. Adding the extra security of login approval is easy enough. If you’re on Facebook or Google, you really should consider enabling those (with or without their respective smartphone-based security code generators).
One downside though; using an external chat client (Mozilla Thunderbird in my case) to access Facebook Chat over XMPP doesn’t work any more as Facebook doesn’t provide “application specific passwords” like Google does. Update: as Jensen points out in the comments below Facebook does have application passwords, so I reenabled Facebook Chat in Thunderbird. But that might be a good thing anyway, as the warning mail I received from Facebook seems to refer to the use of Facebook chat over XMPP;
It looks like someone logged into “Rtgw_xmpp_username_password_
login” on Wednesday, November 14, 2012 at 9:04pm.
Not 100% sure if this was a real login attempt or a false positive, but apparently I’m not the first one to receive such a warning.
You can have my Google password!
Although web security is something I like to dabble in, I can’t honestly say it always is on the top of my mind. Up until an hour ago, access to the vast amount of information that Google manages for me (including access to my Google Android account) was protected by nothing but a password. A rather strong password for that matter, but it wasn’t entirely random and it has been the same for quite some time now.
As access to important online services such as Google should ideally not only rely on just a password (session hijacking anyone?), I activated Google 2-step authentication. What this means is that access to Google (Mail, Docs, …) is now also limited to authenticated devices. If I try to access Google from another computer, I’ll have to authenticate the device using an SMS-challenge or a code generated by the Google Authenticator application on my Android-phone.
If you’re still unsure about what 2-step authentication entails, here’s a brief intro-video from Google:
So yeah, you can have my password now. Theoretically. If you really insist. But even if I do decide to give it to you, you still won’t be able to access my account. How’s that for peace of mind? And now off to Facebook security settings, to enable login notifications & approvals.