Monday, September 20, 2010

Google's two factor authentication and why you need four OpenID accounts

My Google account was hacked two weeks ago, so today Google is deploying two factor authentication to (paid) Google Apps.

What, you think that's coincidental? You underestimate my power (cue mad laughter).

This is a good thing, but it won't prevent a keystroke logger from pinching your password if you use an insecure (ex: XP) machine. On the other hand, maybe I'll switch to a trivial password and just rely on the more robust 2nd factor.

Which brings me to OpenID and OAuth. In my latest post-hack "what am I doing" post I warned against OpenID. The only thing worse than losing a critical password to keystroke logging is losing a critical OpenID password.

Since then I've been thinking about where we're going, and I think there's a place for OpenID/OAuth and two factor authentication.  More specifically, there's a role for multiple OAuth (I'll drop the /OpenID for now) accounts - one for each of the five credential classes.

What's a credential class? Think  in terms of how you'd feel about someone taking your credentials ...
I: You want it? Take it.
II: I'd rather you didn't.
III: Help!! Help!! 
IV: I'll fight you for it.
V: Kreegah bundolo! Kill!! 
We need a master account with Category V security. The One Ring account has two factor authentication and a robust reset procedure that might involving banks and other identity authentication services. It may be tied to a strong identity as well, but that's another post. You only enter these Category V credentials on a secure machine and an encrypted connection. The Master Account can be used to override and change the passwords on lesser accounts.

From the master account we have four other credentials (un/pw combinations), each with OpenID/OAuth services.

The Class IV credential service is what we use with Gmail and a range of high-end OpenID/OAuth services like banks. We enter these credentials only on a secure machine - but there's a degree of comfort from having a Class V account that can change passwords. On less secure machines maybe we use two factor authentication.

The Class III credentials are what we use anywhere that has credit card capabilities. Use these for Amazon and iTunes.

Class II credentials are for your spam only Yahoo email and the New York Times.

Class I credentials are for the Minneapolis Star Tribune.

In a world of widespread OAuth/OpenID type services and this type of master account we really need to know five passwords, and only three of them have to be decent passwords. We can manage that.

This is where we will go.

We can do it now of course, by setting up five Google accounts. It will probably get a lot easier when Google Apps start providing full Google account services for each user, with optional two factor authentication.

In fact, this is so simple I'm surprised MyOpenID doesn't do it already.

Maybe in two weeks.

1 comment:

Martin said...

I am disappointed that I cannot use the new feature – I can enable it in the admin panel, however, it does not show up in the user options. A safe guess is that this problem is caused by my recent transition from Google Apps to Google Accounts …