LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Per-Device Passwords

Per-Device Passwords

Posted Aug 4, 2011 5:55 UTC (Thu) by wtogami (subscriber, #32325)
Parent article: Password storage on Android devices

I really like Google's 2-factor authentication and per-device passwords. The only password stored on my phone is a per-device password for GMail. If they steal my phone, they cannot use that to break into my GMail account. If they steal my real GMail password (keylogger or something), they also need to steal my phone to have the 2nd-factor to login to GMail.

Sure, it isn't perfect, but it's better than without.

(Log in to post comments)

Per-Device Passwords

Posted Aug 4, 2011 12:37 UTC (Thu) by Comet (subscriber, #11646) [Link]

Except the "application-specific passwords" are not application or device specific. They never get locked down to be for the application with which they're first used.

So if you create 3 app-specific passwords, you've created three passwords which have access to any of your Google services, bypassing the two-factor auth you may have setup. Sure, Google's auth system will only show you those passwords once, but if they're stolen from a device, game over.

Until Google start locking down those passwords so that they're only valid for accessing the service with which they're first used, they're a gaping hole; their only redeeming attribute is that the passwords have better entropy than most humans will typically choose.

Ideally, the app-specific passwords would have a checkbox, "needs to be a secure signature upon this password", so that a signing-key stored in a TPM could sign the password, nonce and a timestamp, then send all but the password. Publish the algorithm. Then the unchecked passwords are still as exposed, so if you're using a third-party app you have a problem, but anyone writing software with custom support could get something halfway decent.

But by this point you're half-way towards OAUTH and long-term issued credentials anyway. So don't do the custom schemes but accept the need to implement the crazy.

Per-Device Passwords

Posted Aug 4, 2011 13:36 UTC (Thu) by pj (subscriber, #4506) [Link]

OAUTH + some management seems to be the answer I think would be fine:

1) OAUTH so that no app has my actual password, they have essentially per-app passwords

2) management somewhere (my OAUTH provider?) that will let me de-auth all the passwords associated with my device in case it's lost.

Though honestly, I'd be pretty happy with just 1. first-use-time login and 2. a decent phone lock-screen.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds