Last week on Chit Chat Across the Pond, Bart worked me over yet again that I should do two-factor authentication on my email accounts. I whined a lot as I’m sure you heard. Some of you were thinking, “Oh Allison, quit your whining. It’s not THAT hard and it’s totally worth it because you’re protecting the crown jewels.” On the other hand, there were those of you who were saying, “It sounds really hard to me too!”
When we were talking about it, I compared it to how things were in the old days when the subject was doing backups. We all knew it was smart to do backups, but it was a nightmare to do it in an automated way. Until it got so easy all you did was plug in a hard drive, many of us procrastinated on doing what was right for a long time.
The same thing happened with passwords. We knew we should use good ones, but it was too hard to remember them. We waited until LastPass and 1Password came along and made it easy enough that we realized it was simpler to use a password manager than to do it ourselves. Only then did we become more secure.
But I trust Bart and I trust everyone else who’s been telling me it’s easy to do two-factor authentication now. I’ve been assured that it’s not that bad.
For anyone who hasn’t passed through these gates before, let’s explain how two-factor authentication works. For the sake of argument, we’ll talk about our email addresses, like Gmail and Apple Mail. Today we log into those services with our email address and a password. Because we’re brilliant, we use password managers like 1Password and LastPass and we’ve chosen long, complex passwords.
Two-factor authentication adds one more step. The first time you authenticate to a service from a new device, you have to have your username and password but also a token to prove you’re you. The token is a one-time six-digit code.
Now how do you get that code? During the process of turning on two-factor authentication, you’ll be presented with some options on how the code will be sent to you. You can have a text message sent to you, or you can use an authentication program, like Authy which Joe LaGreca reviewed for us on NosillaCast #566, or you can use the built in capabilities in 1Password to generate what they call “one-time passwords”.
The reason this isn’t as painful as it sounds is because you only do it once when you use a new device. Or so everyone promised me. I thought long and hard about whether to write up my experience with two-factor authentication here, because I believe it’s the right thing to do, but if you haven’t done it yet, you’ll never do it after listening to me.
Bart says that because I have so many devices, I’m not normal, so I shouldn’t judge two-factor authentication based on my personal experiences. I think that’s a fair argument. I’ll explain the process in incremental steps so you can see how it would be for you, depending on how many devices you have.
One Mac, One User
Let’s start with one user who has one Mac and they don’t share their account with anyone. We’ll use Google as the example. If they live in the Google eco-system, they’re likely to use Gmail via the web. They have Safari built in, so they go to Gmail, try to log in, get prompted for the code once and they’re done.
But since they’re a Gmail user, maybe they also use the Chrome browser. They have to do the code dance on Chrome too, so that’s twice. They might use Gmail via Apple Mail. Time to do a third authentication. Any self-respecting Google user will have a free Google Drive too, and the Drive application will ask for that two-factor authentication making a total of four times they’ll have to get a code.
So one user, one Mac, has to do it 4 times.
One Mac, One iPhone, One User
Now what if you have an iPhone too? On iOS you have get a code to use Apple Mail, so that’s a 5th time. Want to use Youtube? 6th time. What about Google+? That’ll be 7 times. Sometimes you end up in Safari when you need access to Google services, so that’ll buy you an 8. Use Google Docs? Well sorry, son, we’re going to need your two-factor authentication again for 9.
One Mac, One iPhone, One iPad, One User
We’ve probably covered most normal people, but we’re talking to NosillaCastaways here. I bet a huge percentage have an iPad too. The iPhone added 5 authentications, so we need to do it another 5 times for the iPad too. So if you have a Mac, an iPhone and an iPad, we’re at 14 times.
Shared User Accounts
I know a lot of couples who share email addresses. It actually drives me bonkers because sometimes I want to write to one person and I don’t have the same relationship with both people. I run into this a LOT. Usually one person is tech savvy and the other isn’t but that might be a generalization. In any case, this could mean that the number of times this code dance has to happen is doubled, AND it’s with a less tech savvy person.
I’m lucky because Steve is pretty geeky, but we do share one account, and that’s the gmail account dedicated to the NosillaCast. We use it for his videos of our interviews, and it’s the persona that runs the Google Hangouts on Air. So even though he doesn’t use this account for every service and every device, it increased the number of codes entered by a LOT, and every time he needed one, he needed ME because they were coming to my phone.
I also have multiple Macs and iPads and iPhones because of the podcast and the screencasting work I do for ScreenCasts Online, so at last count, between Steve and me, we had triggered a two-factor authentication code TWENTY SEVEN TIMES. I’m sure we’ll still get some more over time.
So 27 times…and that’s just one email address. I have my podfeet.com address and my Apple ID to do and I just don’t think I have the stamina for it. That Apple ID is in the App Store, the Mac App Store and iTunes and Photostream and it’s even on our four AppleTVs – so how much fun would that to be to type in several times per device?
Now I can hear some of you saying that I made it too hard by using the SMS code, that I should have used Authy or 1Password. But that’s solving the wrong problem. Since I have Apple Messages come up as notifications on every single device I own, I can see the code right in front of me that I need to enter. Easy to quickly bang out those 6 digits. If I’d used a 3rd party app, I’d have to switch over, find the entry, copy the code, double click home to get back and then paste.
Each time I needed a code, it wasn’t hard at all to enter, it was simply the number of times I had to do it that was so annoying. They said “once per device”, but that’s really not a true representation.
Two-factor authentication is death by a thousand paper cuts.
Amen.
You’ll get over the pain when you get an email from Google that says someone from Estonia tried (failed) to log into your account. Then 2FA will feel good.
As the geek in our marriage, this tech stuff falls on my plate, and we have computers, iPhones, iPads, and AppleTvs, along with Apple Watches etc. This dance is NOT easy–and sometimes I question its worth, but so far, we have not been hacked. I do dread device upgrade days, especially since I also have many clients that I must also shepherd through the process. Thanks for your great podcast!
Great blog post, Allison. Thanks for being a tech scout, so to speak, before we jump into the great unknown.
George
[…] Google Two-Factor Authentication – Not as Painless as I’d Hoped […]