Google 2-step verification – a usability note

Google’s two-factor authentication system (they call it “2-step verification“) is a good safeguard against online criminals hijacking your account.*

After enabling 2-step verification, whenever you login to your Google account (e.g. for Gmail) you get a text message on your phone. Unless you provide the numeric code of that text message to Google, you cannot access your account.

This is classic two-factor authentication in that it ensures

  1. You know the password for your account and
  2. You have your phone in your possession

As this would quickly get annoying for people who login/out of their Google profile all the time, there is an option to “Remember this computer for 30 days”. This means that Google will not require two-factor authentication for a month for that particular computer & browser if the user says so.

But how does Google know that this computer is one to be trusted? This information is stored in a cookie. To safeguard my privacy I always setup my browsers to delete all cookies (and LSOs). But this wipes out the Google cookie that “remembers” my machine as well, which means I am asked again and again for 2-factor authentication. This situation quickly gets annoying. Isn’t it possible to tell my browser (Firefox) to delete all cookies EXCEPT the necessary Google cookies every time it exits?

Luckily it is. You need the following settings in Firefox:

  • Accept cookies from sites
  • Keep until: I close Firefox
  • Exceptions…: accounts.google.com – “Allow”

This is what your Firefox Preferences window should look like on Ubuntu Linux:

…and the exception window that does the trick – this is how the critical cookies from accounts.google.com will NOT be deleted. Instead they will be preserved across browser sessions and you will not have to do two-step verification every time you login to Gmail with computers you trust:

For Windows users, the same options work just fine – here is what the options window need to look like on Windows 7:

…and the exception rule:

Try it. Shut down Firefox, start it up again and have a look in the stored cookies from the main settings panel under Privacy -> Show Cookies. There should only be cookies from “accounts.google.com” and perhaps from your browser’s homepage there – nothing else.

You now have

  • Better security of your Google account due to 2-step verification
  • Better usability because you don’t need to perform 2-step verification all the time on your trusted computers
  • Decent privacy & lack of tracking because Firefox deletes almost all cookies every time it exits.

This is the tip of the iceberg (think malware, LSOs, unique browser fingerprints etc), but hey, it’s better than nothing.

* Unfortunately it doesn’t really help when the attacker is the government. As Wikileaks and Privacy International have pointed out with the “Spy Files” project, when it comes to government surveillance Gmail users are screwed.

8 thoughts on “Google 2-step verification – a usability note

  1. Thanks for the good hint!

    I am using Google Chrome and do have the same problem. However, even when I allow the google account cookies to be stored via the exception option, I will have to log in using 2-step verification every single time…
    Any idea why this still doesn’t work?

    Thanks,
    fox

    • Try setting your homepage to “blank”, then close Chrome, then launch it again.

      Now look at your cookies – if there is nothing there, the Google accounts cookie is being deleted and that’s why you’re asked for 2-step verification again. You’ll have to figure out what deletes that cookie.

      Do post back with results!

      • This is really weird.
        All the google cookies are still there. So the exception rule seems to work. However, 2-step verification still asks for the password every single time. So I was thinking that it must be one of my apps/extensions. I checked them but they do not delete any browser data. Then I played around with the Chrome options:

        If one unchecks the “delete cookies when Browser is closed” option, the 2-step verification indeed saves the code, i.e. the problem is clearly not related to apps/estensions, but to the workaround using [*.]google.com: The cookies are not being deleted. However, there must be one single entry within a cookie that gets erased…

        Any ideas?
        Thanks,
        fox

      • I found a workaround that actually works:

        Allow Chrome to save all cookies.
        Install CCleaner and go to:

        Options–>Settings
        and check “Run CCleaner when computer starts” (unfortunately there is no option to delete cookies on shutdown…)

        Options–>Cookies
        Drag and drop the cookies you want to keep to the corresponding table on the right-hand side. For example: mail.google.com

        This will do until someone found a better solution.
        Hope it helps…

        Please feel free to post this comment to other forums…

        Regards,
        fox

  2. Does Google keep a server side database to check for MAC addresses a user has accessed a site from or is the verification dependent on the client having a cookie or not?

    We are trying to build our own version of 2 step verification and would like some suggestions.

    • This is the core message of this article – verification is cookie-based, so if you follow best privacy practices and auto-delete your cookies on browser exit, your device becomes “unrecognized” every time you log in to Google services.

      Whether they keep a database of MACs I do not know, but can’t see why Google would do that. MACs are like biometric data – static and impossible to change for legitimate users (hence easy to steal once, exploit forever by miscreants) and at the same time exploitable by criminals (MAC spoofing).

      The strength of the current Google implementation is that the secret cookie they give your computer lasts for a maximum of 30 days, and then it’s a new cookie that attackers would need to re-steal to impersonate legitimate users.

      • That blog post’s author seems to be the most qualified to answer your question! Let us know what he comes back with.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s