It is long overdue that we start writing about all the exciting developments we have on our project backlog and those complete or nearing completion.
After final testing over the last three weeks, today was the day when the integration of the Alternate Google Authenticator Login has been added into your iTCHYROBOT School website.
What is Google Authenticator and what happened to the humble password?
If Google Authenticator is something you have never heard of until now, you are probably not alone. Over 3 years ago at iTCHYROBOT, our tech team made the conscious decision to remove passwords from our applications. This was for a whole host of reasons but the biggest driver was the fact that users would pick weak passwords using things like;
- Addresses
- Surnames with a number or exclamation on the end
- Dates of Birth
- Children’s names
Even today as I write this article I am reminded of all the research and discussions that took place around the topic of leaving passwords in the past and presenting alternate models of authenticating users to our applications. In a recent Identity Exposure Report by SpyCloud, covered on ITPro, it was found that “70% of breached passwords are still in use and 64% of users have had more than one password exposed in the last year.”
It is amazing that in 2022 we still rely on a combination of two tokens that can be easily derived, guessed or brute force attacked. Our decision was easy; move away from this model and begin to implement models of authentication that incorporate an external element. Thus, the magic login was born! It is simple really – rather than submit a password, the system knows from your email address who you are and simply sends a one time use unique login link to you. Once you use the link, that is it gone forever. Without access to your email, no one else can access your account.
So this idea was our implementation, but it is not a unique concept and email systems have their drawbacks. As a network admin myself, I can say tongue-in-cheek that we are part of the problem. Spam filtering, domain blocking and all the other good tech that exists in mail systems makes us all-powerful when it comes to controlling the content that comes in and out. But sometimes we end up with false positives in our setups and legitimate emails to users get blocked. And there is the rub. We rely on emails and if they get blocked, then legitimate users cannot get into their account.
To combat this, we have now implemented a secondary model of authenticating and accessing your account.
To answer what is Google Authenticator, we can go with the definition;
“Google Authenticator is a software-based authenticator by Google that implements two-step verification services using the Time-based One-time Password Algorithm (TOTP; specified in RFC 6238) and HMAC-based One-time Password algorithm (HOTP; specified in RFC 4226), for authenticating users of software applications”
All that tech spec translates to two boxes – input your email and a specially generated code to access your account.
Where do I get the code?
There are a couple of steps to getting up and running. If you recall above, part of our requirements is to use an external system, which was previously email. For this new process, you will need your phone and head for the app store and install Google Authenticator.
But it’s blank. Where is my code?
So the first time you want to use the app, you need to login to your website. From there, access your profile and scroll to the Alternate Magic Login section. Open the Google Authenticator app (Google Play Store/Apple App Store) on your phone, press the Plus (+) in the bottom right and select Scan QR Code. Point the phone camera at the QR code and the website will be added to the Google Authenticator App.
Google Authenticator generates a unique code every minute. Now you have your code generating, you can logout and begin using the Alternate Login.
With the new system, there are no passwords to remember and the solution utilises a very secure rotating key supplied through an external application to secure your account.
Check your security
The first Thursday in May is World Password Day and the perfect time to tighten up your password security habits. It’s OK if you didn’t know there was a World Password Day, but for piece of mind take a look at the Google Platform and run a security check.