I had used 2 factor authentication on my eBay and PayPal accounts for several years. I had even moved to using a soft token when I got my first iPhone. With the recent rash of system attacks I had been hearing about finally got me to do the same to several other accounts.
Over a year ago, I had moved my email domain over to Google Apps. Really glad I did – both from a cost and reliability standpoint. Moving to Google Authenticator seemed a logical next choice. I downloaded the app to my iPhone and began the process of setting up 2 Factor on my email. The process was very straight forward.
I remembered that I also had an iPhone Touch 4G. Since the primary method of “enrolling” a service into Google Authenticator is to scan the barcode requires a camera, this made the Touch 4G as a logical device. I went back into the Google Authenticator interface and didn’t see a way to “redisplay” the barcode used by Google Authenticator to activate a service. At the same time as I was trying to figure out a way to have a 2nd token active, I listened to a podcast from Leo LaPorte of TWiT fame. Had to chance to interview him for a podcast I did several years ago and was in his studios last year. Leo described how he kept a backup of the enrollments by taking a picture of the barcode when he activated each service.
Having a backup of the enrollment bar code was a good idea in several ways. It gave me a way to recreate the configuration if my iPhone was replaced. It also gave me a way to setup a 2nd soft token device. This would give me a backup device to use in the even I couldn’t use my iPhone or if I didn’t want to try to switch between apps on my iPhone to get the token. I did some testing and the rotating pin code between the iPhone and iPod Touch varied by a few seconds but nothing that I couldn’t work around.
So as I enroll each service, I take a picture of the barcode and file that in a safe place. Some web sites also give you a code to use if the token fails or isn’t working for some reason. Others give you a list of on time use codes as a backup method of getting in. Either or both of these should also be recorded in the same place that the barcodes that you used to enroll each site. Some websites/services are doing a better job than others at letting folks know if they support using Google Authenticator. I found this link that told me about some sites that I didn’t know were supporting GA – http://en.wikipedia.org/wiki/Google_Authenticator.
In a future post, I will show how to setup access to ESXi using 2 Factor Authentication using Google Authenticator.
To get the process started for you, please check out www.google.com/2step.