made me do it, but now I don't know whether to curse him, the hacker who ruined Honan's digital life, or Google, which is making me rue the moment I clicked to enable two-factor authentication to better safeguard my accounts.
You will recall that Wired writer Honan was plunged into a digital hell when control of some of his accounts -- Amazon, iCloud, and more -- were seized by a clever hacker (who, incidentally, did most of his mischief with old-fashioned social engineering, meaning he charmed his way into retrieving passwords that Apple and Amazon handed out).
Understand: Everything I do revolves around Google -- I use Gmail and Google Voice, I have an Android phone, I even use a ChromeBook for much of my computing. And that is why, when I heard about Honan's misfortune, I liked the idea of beefing up the security wall around my Google accounts.
The core idea of Google's two-factor authentication borrows from banking sites by requiring the user to input something he knows (username and password) and something he has (in Google's case, a phone number that can receive either an SMS or a voice call with a numeric code). The result is a sharp jump in security.
To sign in, you type username, password, and that onetime numeric code, and theoretically, that will keep hackers distant.
Except it does not work that easily -- trust me. Hours into this I still don't have my calendar syncing on a Kindle Fire, for instance, and that may be just one of many apps that worked fine yesterday but this morning are mired in thick cyber frustration.
The apparent problem: iOS apps do not support the two-factor authentication invoked by Google, and neither, apparently, do at least some apps on the Android-powered HTC One S (running Ice Cream Sandwich) and a Kindle Fire (running an Amazon-tweaked version of Android).
Google knows this is frustrating. It's even put up a video about it on YouTube.
Google's workaround is "application specific passwords" -- onetime codes that Google advises users not to bother memorizing or writing down -- even though for email on an iPad to sync up it needs that unique password entered (and remembered by the device). Frankly, it's maddening. So far I have set up six of these, and it's not getting easier.
Getting the code is a multi-step process and the first step is clicking on an app that used to work and now does not. Step two: Find the password that's associated with the app. Fairly straightforward with iOS, not always so on Android, where sometimes passwords appear to be hidden.
Google, helpfully, offers a list of apps it knows requires application specific passwords:
As you work through this list, know it may not be complete. There is a provocative blog by software engineer Stephen Rees-Carter, who argues that not only are the application-specific passwords a pain, they actually resulted in lowering his security. That is because Rees-Carter, left to his own devices, loves complicated passwords. He explained: “My Google password is 16 characters long with lower case letters, upper case letters, a couple of numbers, and a couple of random characters.”
The machine-generated application specific passwords, by contrast, are 16 characters long, mixing only numbers and lowercase letters. No uppercase, no special symbols.
Wrote Rees-Carter, who like me has found it necessary to create six such specific passwords: “if you compare this with my original password, this is a lot simpler to crack or guess. Also note, there are now 7 possible passwords that get into my account. By anyones [sic] logic, I have just reduced my security significantly.”
In my case -- where my core Google password is shorter than 16 characters -- maybe mathematically my security has strengthened.
But I am still fiddling with my Fire apps. I know I will find more that don't work on my HTC phone. And now I have Rees-Carter complaining that Google's beefed-up security is a shell game that has left him more exposed.
Damn that Mat Honan!
— Robert McGarvey has been online and writing about the Internet for nearly 25 years.