Hacker News new | past | comments | ask | show | jobs | submit login

I used two-factor authentication for about a year, and I just got so sick of it. I had no issue with the whole logging in and using the time-sensitive code from my Android phone. It was the support for all the other Google apps that drove me crazy. I got really tired of needing to generate new temporary passwords for access through iCal, Mail, and I think even sites like StackOverflow. Perhaps I was at a point in life where I had too many new devices and changes going on.

It's the typical security vs accessibility trade-offs. Accessibility won.




SO would not need a password generated. It would only require that you be authenticated with your Google account.

Two-factor is a pain on iOS devices where every Google app needs it's own unique password and frequently need a new one for every update. Android is a completely different story though and adds almost zero overhead.


Plus, don't the special passwords for specific apps (that don't use 2-factor auth) violate the whole point of 2-factor in the first place?

Now, you've got several passwords that work, instead of 1 and a keyfob. Ugh.

Edit: Apparently, you can't log into the web interface with those passwords. That's a step in the right direction, but still not fully secure.


The app-specific passwords are a feature and if you prefer the extra security over being able to use apps that don't support 2-factor, then you can choose not to use them, and get the full security benefits of 2-factor. It's just that, short of expecting every single third-party client app to implement 2-factor authentication or not allowing access to any that don't, there's no alternative to the app-specific passwords.

They are strictly better than using a single password for everything though, in that they are unique and strong (due to being automatically generated and 16 characters long), and easily revocable.


Non-web apps don't have a UI for two-factor. App-specific password is a compromise, which is vulnerable if someone steals your local installation of the client to get its keys.


Right. Did I say something contradicting that? Google could have decided not to offer application-specific passwords at all, but from any individual user's perspective, that's exactly equivalent to just not using them. At least having application-specific passwords gives you the option, and is at least as secure as giving your master password away to every client application.

I suppose there is one possible negative consequence to users who opt not to use app-specific passwords: their existence alone removes some of the incentive for client applications to implement 2-factor themselves (which I don't know if Google even has an API for). And sure, it would be nice to have features like access control on a per password basis (e.g., so I could allow Pidgin to access only gchat, but no other part of my account). But the implication that the mere existence of application-specific passwords somehow makes Google's 2 factor auth useless is just wrong.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: