[tor-bugs] #6986 [Flashproxy]: Set up two-factor auth and app-specific password for email registration helper
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Oct 3 23:30:50 UTC 2012
#6986: Set up two-factor auth and app-specific password for email registration
helper
-------------------------+--------------------------------------------------
Reporter: dcf | Owner: dcf
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Flashproxy | Version:
Keywords: | Parent:
Points: | Actualpoints:
-------------------------+--------------------------------------------------
Comment(by dcf):
Replying to [ticket:6986 dcf]:
> 1. we can keep the master Gmail password offline, and only allow the
facilitator access to IMAP under a different password. A breakin on the
facilitator would not, for example, allow the intruder to set a new Gmail
forwarding rule.
I have tried setting this up, and now I'm not so sure that the
application-specific password cannot be used to access the Google account.
When I create the password, there is a notice:
"Note that this password grants complete access to your Google Account."
On the other hand, when I try to use that password to log in to Gmail with
a web browser, it fails with the message
"Please use your account password instead of an application-specific
password."
So I don't know exactly what the privileges are of this password. I think
that having an application-specific password is good for security, even if
it turns out to be root-equivalent and bypass SMS verification, because
1. We can in the worst case completely delete the account using the master
password, if the account is compromised.
2. We can in theory detect when the application-specific password has been
unauthorizedly used by examining the "recent activity" page in Gmail.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6986#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list