Hacker News new | past | comments | ask | show | jobs | submit login

I think Google's thinking on this is that 2FA tokens are definitely "one of those things you don't want stored in an subpoenable manner by your Cloud provider." If your 2FA token is synced to iCloud, for example, then it's no longer something you have--it's something else you know (your iCloud username+password.)

"Something you Have"-type tokens provide security basically because they're immune to rubber-hose cryptanalysis: if you really just don't have the key to a safe, nothing an attacker does can make you give it to them. As such, tokens are also the factor that protect you from contempt-of-court charges if you're compelled to provide it. (Though they can then ask you "who does have a key?"; if this is an accomplice, it's best if they live in a separate country, and hopefully one which doesn't like the US very much.)




I don't think this argument makes any sense with regard to TOTP, as Google (or Dropbox, Twitter, etc.) most certainly knows the seed/secret for your account at their service and could be forced to divulge it via court order. Or they could simply cough up the plaintext data sans faffing about with 2FA at all. 2FA of this sort only makes it harder for an attacker to get in.

Defense against rubber hose cryptanalysis comes into play where the key only exists in one place, such as the asymmetric private key on hardware security module, or perhaps a symmetric key stored on a physically-unavailable USB key. But 2FA like TOTP does not imply encryption, even though it relies on some cryptographic primitives.


Keep in mind that Google Authenticator stores arbitrary third-party credentials, though. Subpoena Google and you could get Google's TOTP token for you, along with the rest of your account, sure. Sync Google Authenticator to Google, and suddenly they don't have to subpoena anyone else--just use their Gmail account to reset all their passwords for every other service, and use their TOTP tokens to sign into them. This basically removes the "Principle of Least Privilege" way that subpoenas work.


I'm sorry, I don't follow your logic. Are you trying to say you think Google actually had a rationale for this behavior? Where does "the cloud" come into the equation? This data isn't being synced to iCloud. That defeats the whole purpose.


Because Google fundamentally wants everyone to use Google+ for everything, and their Google Accounts to sign into it. If they weren't thinking about the security implications, Google Authenticator would definitely be a "sync your credentials to your Google Account" app.

I assume that the implementation of 2FA was a 20%-time project (it's sort of sloppily integrated; you need to find a special page that isn't linked from anywhere whenever you need to add an application-specific password, for instance) which reeks of it not being orders from on high. So, the people who implemented 2FA at Google were probably just some people who fundamentally care about 2FA. People who know what "Something you Have" actually means.


> special page that isn't linked from anywhere

It's linked from https://security.google.com/settings/security which is itself linked from https://www.google.com/settings/account ...




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: