Sunday, July 29, 2012

Disabling Google 2-step Authentication: Here be dragons.

I just had my first truly bad experience using a Google product. I have used 2-step authentication since it first became available. In the year+ of using it, it hasn't gotten easier. If you try to login using something that doesn't understand 2-step, you have to generate an application specific password. This is a password that is generated for you and shown to you once. It works great for things that remember passwords, but is pretty much unusable for things that don't. Since things remembering passwords is a major security risk, application specific passwords is a very broken way to do it. 

Since very few things that could authenticate against Google have been updated to support 2-step authentication since it came out, I had a long list of application specific passwords, many of which were for Google products, like Chrome Sync and Android system logins. I got tired of this and disabled my 2-step authentication. That's where the problem began.

Immediately, I could no longer sign into Chrome Sync. The one computer I had already signed in with an application specific password was still syncing. Google Drive was still syncing. Everything else was telling me to enter my password rather than the application specific password when I entered the actual password. It would reject anything that wasn't my password as expected. I ended up going to the support forums and asking about it. 

It turns out that the process of turning off 2-step authentication is more complicated than it looks. After turning it off, you have to revoke all application specific passwords, then delete all Google Sync data if you have anything in that encrypted. Only after all that will it work. You would not guess that when you go to turn 2-step off. There is just a little link saying that you click it to turn off 2-step authentication. It provides no warning that you are about to break the entire authentication and sync system for your account.