could weaken the system.
Because of these new types of security used on con-sumer products and the sense of security they giveto the users we have come to ask the question:
What security weaknesses can be found in the Google 2-step veriﬁcation system?
To answer this question, a multitude of angles haveto be researched: the smartphone application, theASPs, vulnerability to phishing attacks and othervectors that might surface during the research.
2 The 2-step process
This chapter discusses the process of the 2-step ver-iﬁcation system, from enabling to actually using it.
The user wanting to use the 2-step veriﬁcation pro-cess has to explicitly enable it on their Google ac-count page. This will spawn a setup wizard askingif he wants to receive the veriﬁcation code througha text message or a voice call, or by generating thecode using an application on his smartphone.
2.1.1 Text message or voice call
This method enables users with a standard cellu-lar phone to receive veriﬁcation codes from Google.They will have to enter their cellphone or landlinenumber and choose whether to receive a text mes-sages or voice call with a code which has to be en-tered to verify access to that phone. After success-fully entering this code, the veriﬁcation system canbe enabled.
2.1.2 Mobile Application
Google has developed an Open Source veriﬁcationcode generator for three mobile platforms: Ap-ple’s iOS, its own Android Mobile
(OS) and the BlackBerryOSby
(RIM). When a user chooses to use one
of these applications, the wizard proceeds to give alink where to download the application for the ap-propriateOSand presents the user with a so called‘secret’, which the application needs to generate theright codes. The code can be entered by scanning aQR-code (iOS and Android only) or by entering itmanually. When the application is conﬁgured cor-rectly, it will generate a code that is valid for 30seconds and the user is asked to enter this code toverify the set up.
After the 2-step veriﬁcation system has been en-abled, the user signing in on the browser will stillneed to enter their Google username and password.If this is successful the system will present the userwith an additional step in the form of an input boxasking for their veriﬁcation code. At this point, if the user has chosen to receive the code using a textmessage this code will be sent to the provided num-ber, or in the case of a voice message, the providednumber will be called and it will read out the code.If the user has chosen to use one of the mobile ap-plications, he will need to use the application togenerate the code and enter it while it is still valid.For this to work, it is essential that the date andtime on the cellphone are more or less synchronizedwith the Google servers. Fortunately, the defaultsettings on the supported platforms allow the de-vice to be synchronized by the
Network Time Pro-tocol
2.2.1 Backup Codes
Of course the situation can arise when a user has(temporarily) lost his phone. In this case Googleenables the user to print a small list of backupcodes beforehand. It is recommended that thissmall piece of paper is kept somewhere close to you,like a wallet. This recommendation is based onthe idea that you will always have them with you,should you need them. On the other hand the wal-let is also a safe place to store the paper becausethe user will notice more quickly when he has lostit and can take appropriate action by disabling thecodes.
2.3 Legacy Applications
The drawback of this new login procedure is thatthird-party applications, like e-mail clients, are notable to present the user with a dialogue to providea veriﬁcation code. Google has solved this by dis-abling login to these legacy services with the normalpassword. To login to one of these services, the userﬁrst has to create anASP. This is a randomly gen-erated code of 16 lower-case characters that is usedfor a speciﬁc service. Google asks the user to pro-vide the name of the service for which he is going touse theASP.This name only functions as a labeland in theory can also be used for any other legacyapplication. TheASPis displayed only once andis intended to be entered immediately into the ap-plication for which it is used. Some of the servicesrequiring theseASPs are: