Update – Never mind – see bottom of article.
Discovered an interesting flaw in the requirement for two factor authentication with gmail today. I like to use the application on my cell phone to ensure that only I have access to my account – and if somehow a keylogger was in place, my password to gmail is not any use as the 2nd factor authentication would also require access to my cell phone.
However, today I logged into google reader first (which doesn’t support 2nd factor authentication) and used my username and password only. I then clicked the gmail tab at the top of the reader – and hey presto I’m into gmail.
Bottom line – don’t think that just because you have enabled 2nd factor authentication you are safe from keyloggers on a pc or network sniffing/man in the middle attacks. I’ve not reported this to Google yet but it will be interesting to see what they say.
Update After signing out AND restarting firefox I was prompted for the 2nd factor password. Interestingly I wasn’t prompted until I restarted the browser – so as usual – always restart browsers once you’ve finished with them.
I have been using the SuperGenPass bookmarklet for a long time now to allow me to have unique passwords for each website that I need to log into but only one master password to remember but the drawback is that it only works for websites and you need the javascript bookmark (or a web page downloaded). I have the script saved in my gmail account to allow me to save it onto a new machine that is under my control and use, but for those times when you don’t really want to save the bookmarklet on the pc but have access to your blackberry, then you can now save this implementation of SuperGenPass for the blackberry thanks to Michael Gorven. The download page is http://mene.za.net/passgen/ and the script also gives you an option of using the PasswordComposer generation for passwords.
The blackberry is rapidly becoming my thirdparty authentication tool – the ability to run programs on it to generate secure passwords is very handy – I have another post on this coming up shortly.