twofactorauthentication

De-Google-ifying, part II

by
Screenshot of icons for Google services

Last year, in the fallout following Google’s announcement that it was killing off Reader, I decided to make an effort to reduce my dependency on Google services. The thinking behind it was essentially ‘if Google can kill off Reader, what else will they get rid of?’

Whilst I did delete all of the Google apps off my phone, barring YouTube, within a few weeks they were all back and I was basically back to where I was originally – reliant on many of the services Google offers for free.

But recently I have managed to cut back on my Google dependency.

Contacts – iCloud

I used to use Google Contacts to keep my address book in sync between my various devices – iPhone, Mac, and Windows desktop at work. Originally I used Thunderbird at work which had a couple of  unofficial extensions that synchronised the address book with Google, and my Mac and iPhone both natively supported contact sync.

And then we moved to Office 365, at which point Thunderbird just wasn’t up to the job. So I now use Outlook 2010 like everyone else, and there’s no easy way of linking Google Contacts. iCloud, on the other hand, works fine with Outlook and my Apple devices (obviously) so I successfully migrated a few months ago.

Mobile web browser – Safari

In April last year, when iOS 6 was the latest and greatest, Google Chrome was significantly better than Safari, in my opinion. However the improvements to Safari in iOS 7 and 8 have made them broadly equal in my view and so I’ve removed Google Chrome from my iPhone and iPad. Having just one web browser makes things a little easier to work with and third-party web browsers have always been second-class citizens on iOS. Plus, 1Password integrates with Safari through an app extension, which saves me having to open, close, copy and paste to retrieve passwords.

Two-factor authentication – Authy

Google Authenticator is probably the most well-known app for managing two-factor authentication codes, and indeed it was about the only one available for a long time. Now, there’s Authy, which has a few key advantages. Firstly it’s a universal app that can be installed on both iPhones and iPads, and secondly these can be kept in sync. So if I have my iPad to hand, I can use Authy on that to enter codes on my phone, rather than having to switch between apps. There are also a couple of web sites – namely Humble Bundle and Coinbase – which require Authy rather than Google Authenticator, and Authy can do everything that Google’s app can do anyway. So rather than have both, I’ve moved everything into Authy.

As for everything else, I’m still mostly using Google services. I don’t yet trust Apple Maps enough to use instead of Google Maps, even though it has improved since launch. My calendar is still in Google Calendar despite its woeful support in Outlook, because it allows Christine and I to view each others’ events. The results I get from searching with Google are better than Bing or Yahoo!. So whilst I don’t think I could ever completely give up Google, I’m pleased that I’ve been able to find better solutions elsewhere.

2-Factor authentication on Google

by
Water wheel

Google has recently enabled two-factor authentication for all users with a Google Account. This means that, when you log in, you provide two pieces of secret information, rather than just a password (which would be ‘one-factor’ authentication). This second piece is a 6-digit code that is generated randomly every 30 seconds from another device.

This improves security by ensuring that, even when a third party knows your password, they still cannot log into your account without the 6-digit code (although see below). Think of it like a PIN number – a thief could steal your credit card but wouldn’t be able to get money out of an ATM without knowing the PIN number.

Some banks have started using two-factor authentication for their online banking services – as well as your username and password, you are asked to enter a code generated by a small electronic device on your keyring. Blizzard Entertainment offers a similar device for World of Warcraft and Starcraft II players, as well as a free iPhone app that does the same thing.

So Google isn’t the first to offer this – it’s actually reasonably well tried and tested. To activate it, log into your account and click the ‘Using 2-step verification’ link. Google will then walk you through setting up your account for two-factor authentication.

There are a variety of options for the second factor. There are apps for the iPhone and Android phones, but you can also receive a code by text message to a mobile phone number that you provide during the initial setup. You’ll also be asked to provide a backup system in case you lose your phone; in my case, Google will phone my work number and a computer will read a number to me.

I mentioned there’s a caveat. Two-factor authentication works great on Google’s various web sites, but falls down if you access Google services through other apps, such as IMAP for Gmail, or CalDAV for Google Calendar, which aren’t really designed with two-factor authentication in mind. As soon as you enable two-factor authentication, any attempts to access data over these protocols will see your login fail.

Thankfully, there’s a way around it, in the form of application-specific passwords. Essentially, for each method of connecting to your Google Account, you can create a separate password. Each password can then be revoked if you find someone using it without your permission, and once generated, passwords cannot be viewed again. Furthermore, the passwords can’t be used to get into your account on the Google web site (they would need your main password and verification code), so it wouldn’t be possible for a hacker to change your main password, or deactivate the two-factor system. It’s not a perfect solution, though.

I’ve turned on two-factor authentication because I have a lot of important personal data in my Google Account – all my contacts, my calendars and hosting details for this site – and wouldn’t want anyone obtaining unauthorised access. The workarounds for CalDAV and IMAP are a bit of a pain, but I feel it’s worth it for the piece of mind.

Whilst we’re on the subject of Google Account security, if you use Firefox I’d recommend installing the HTTPS Everywhere addon, which forces the use of SSL/TLS on most parts of Google. I would, however, suggest disabling the ‘Google APIs’ option in its preferences as this may break some other web sites. Still, it will help to prevent your Google Account data being caught be man-in-the-middle attacks.