Amid many calls to "kill the password" with strong auth, we'll show -- by studying some issues in Google's 2FA deployment -- how this may be harder (and more perilous) than it sounds...
Earlier this year, we reported that an attacker could bypass Google's two-step login verification, reset a user's master password, and otherwise gain full account control, simply by capturing a user's application-specific password (ASP). While Google has taken some steps to mitigate the most serious threats, ASPs still present a number of threats to Google's users. However, Google is not alone -- their implementation of ASPs serves as a useful case study for anyone seeking to use strong authentication to "kill the password".
We'll discuss the specific flaws in Google's initial ASP implementation and the threats that remain, some analogous issues in other systems, and the broader lessons that we can learn from this experience.
Adam Goodman, aka akgood, is a co-founder and Principal Security Architect at Duo Security, where he and his cohorts work to radically improve the ease-of-use in strong authentication systems. He was previously a founding engineer at Zattoo, Europe's leading live-streaming Internet TV operator, where he led the development of secure P2P distribution and digital rights management protocols. Adam enjoys bicycles and beer (sometimes in close proximity to one another), and has a fondness for puns that has led to many threats of bodily harm...