Google Authenticator as an Information System

Catherine Oei and Duaa Zaheer

Information System Analysis Report
INFO 200 Section AB

Functionality

The Google Authenticator provides users an option to apply a two-step verification

process when signing into their Google accounts. Google Authenticator is also compatible for
implementation with other select applications as well. The core functionality of this information
system is simple; the Google Authenticator helps users better protect their online accounts,
which thereby helps users better protect their personal webs of information. It is a simple way to
bolster the security behind a user’s online data, reducing the chances for identity theft, data
loss, and fraud.
The authenticator is initiated when the user accesses their account from a secondary
device, switches their security settings to enable two-step verification, and follows the prompted
steps to sync their account to the Google Authenticator application on their phone. Initially,
Google sets the primary method of secondary verification as a phone number in which special
codes are texted for login. Once the user’s phone number is synced, they may change the
primary method for secondary verification to the Google Authenticator. This generates a QR
code which must be scanned using the mobile application, syncing the authenticator to the
account. This process does not require internet connection. Now, whenever a user logs into the
respective account with their password, a second prompt will request a code that can only be
accessed through the user’s authenticator app on their mobile device. Users can easily add
accounts to the authenticator, and select whether or not codes are stagnant or regenerated on a
timely basis.
To avoid the tedious process of having to enter in their generated codes time and time
again on the same advice, Google Authenticator allows users to skip the double verification
process on devices that they select as “trusted”. However, when accessing accounts from other
devices, they will be prompted for a verification code. Considering the fact that Google holds a
vast amount of information about its users, it’s important to recognize just how vital it is that
such information is well-protected. A Google account may have credit card information (for
Google Play), confidential messages, and private documents. For this reason, the 2-step
verification process provided by Google Authenticator provides users with an extra level of
security to protect their private and confidential information.
Architecture

People
◆ User - The process begins with a single user who has a Google account.
Technology
◆ Mobile Device - The user must have a mobile device with Google Authenticator
downloaded. This requires the device to have an app store with Google
Authenticator, a phone system that supports it, and sufficient storage. It is useful
for the Authenticator to be easily located. Google Authenticator should be open
on this device.
◆ Internet - To log in to the user’s Google Account, they must have an Internet
connection.
◆ Secondary Device - For users setting up their Google Authenticator for the first
time, they must have a secondary device to scan the QR code in the future.
◆ QR Code - The scanning of the QR code is the method required to sync the
user’s account to the Google Authenticator.
 Information
◆ User Credentials - This information is the user’s username and password
associated with their Google Account. This is the primary information that is
foundational to setting up the authenticator.
◆ Security Instructions - The user must follow the security settings instructions in
order to enable their mobile device for two-factor authentication, which requires a
code to be texted to their phone number. After this, the user can select Google
Authenticator as their primary method for two-factor authentication.
◆ 6 Digit Code - This is the information generated by the Google Authenticator. It is
used as a secondary factor in account authorization for log in.
Search

Users of the Google Authenticator

System would be likely to search for more
detailed instructions about how to set up or sync
their accounts with the authenticator. First-time
users of the Google Authenticator app would
find it incredibly difficult to intuitively recognize
what steps to take in order to get the
Authenticator to function accordingly. Initially,
the only setup instructions in the app that the
user is met with are two options: to “scan
barcode” or “manual entry”. The user is required
to log into their Google Account, navigate to
security settings, and sync their phone number
before they can select Google Authenticator for
use. Only once the user selects Google
Authenticator in their security settings are they
prompted with set-up instructions, and only then
do they receive the QR code to sync their account to the mobile app. Most users would be
inclined to search for instructions online, or spend extra time sifting through their account
settings, searching for how to set the authenticator up. First-time users would also have no idea
that a secondary device was required to complete the setup process.
Additionally, another piece of information that users might be likely to search for would
be a list of applications or systems that the Authenticator is compatible with, aside from Google.
There is a clear mismatch here between the information that users seek, and the actual
information the Authenticator provides. Users are looking for information about different systems
Google Authenticator supports, but the Authenticator does not provide any of this information.
The inability for users to identify which accounts they can use Google Authenticator with could
result in users adding incompatible accounts to the authenticator that serve no function.
Ultimately, users search for basic information in Google Authenticator: instructions on
how to set it up, and information about what accounts they can use with it. These pieces of
information are paramount as to whether or not a user decides to use the Authenticator, or
deletes the application altogether out of confusion or frustration. Without these basic pieces of
information, the user might also end up selecting a different two-factor authentication system
that contains the ease of set up and information that Google Authenticator lacks.

Benefits and Harms

Benefits
1. Added layer of security
2. Lessens risk of data breaching
3. Reduced risk of fraud
4. Centralized location and accessibility
5. No cost

There are several benefits that Google Authenticator provides. Firstly, as an application
that allows users to add a second factor of authentication to their accounts, Google
Authenticator provides users with an additional layer of security to all of their accounts. Next,
Authenticator effectively reduces the risk of data breaching. Behind online accounts are an
abundance of personal information, from credit card numbers, to personal emails, to banking
and tax statements, which are all at stake. Since a two-factor verification process is required for
log in, valuable data therefore has greater protection from hackers, who must break through an
additional wall in order to gain access. Also, the risk of fraud is reduced; aside from a user’s
account username and password, the hacker must also have a user’s physical phone, and the
ability to unlock it. The Google Authenticator additionally has many benefits pertaining to user
accessibility. All the 6-digit verification codes are stored in one central location and are available
without needing to be online. This could come in handy in situations where users lack cell
service, like on airplanes or in remote locations. Lastly, Google Authenticator can be
downloaded and utilized at no cost. It is easily accessible and provides protection for users’
accounts for free.

Harms
1. Difficult to set up
2. Time-consuming
3. Loss of account access
4. False sense of security
5. Defenseless against phishing

Although there are multiple benefits to using Google Authenticator, there are still a
number of harms that may arise with the use of the app. First off, the Authenticator is quite
difficult to set up, which could potentially discourage users from taking initiative in setting up the
application and reaping in its benefits. In addition, the two-step verification process could be
seen as a nuisance for many, due to the increased time and patience required to unlock
phones, to open the Authenticator for the 6-digit verification code, and to type the code in with
every log in. Moreover, when users acquire new or different phones, they must sync their
accounts to the Authenticator all over again, another time-consuming process. Next, the user
could lose access to their account and be unable to log in for prolonged or indefinite periods of
time. In the case that their mobile device runs out of battery, gets damaged or stolen, or the
Google Authenticator app simply faces functional issues, the user would no longer have access
to their accounts. Additionally, users may be more likely to be filled with a false sense of security
due to increased confidence in the protection of their accounts. This false sense of security
could lead users to being less careful when creating passwords and might even perpetuate the
habitual creation of weak pins or repeated passwords. The truth is that user accounts will never
be 100% secure; a second factor of authentication is only capable of lowering the risk of
compromise. Finally, the Google Authenticator is practically useless in the case that a user
encounters a phishing site. For example, if a user receives a phishing message prompting them
to log into their credit card account, the user would be redirected to a “fake” website made to
look like the actual credit card website: a “phishing” site. The phishing site would take the user
through the typical log-in processes, with the user logging into their “account” like normal and
entering their Authenticator code. Without even realizing it, the user would have already given
away their credentials. Phishing sites thus pose a harm, since Google Authenticator has no way
to control or prevent phishing.

Automation, Policies, and Amplification

Automation

Google Authenticator’s automation is primarily in the random 6-

digit codes, which a user can select to be generated as a single
stagnant code, or to be regenerated on a timely basis. These codes
provide value in the sense that they allow users to easily add a second
factor of authentication to their accounts and complete a short process
to increase the protection of their accounts. On the other hand, the 6-
digit codes may be harmful if users find the process tedious and are
deterred from using two-factor authentication. The availability of the 6-
digit codes are also reliant upon the function of a user’s mobile device,
so if a user’s mobile device is not working or other external factors are
inhibiting the function of their device, the user will be unable to gain
access to their account.

Policies

One major policy that the Google Authenticator is subject to is

the General Data Protection Regulation (GDPR) Act in the European Union. This act ensures
that companies provide a reasonable amount of privacy for customer data. It was a huge step in
regulating what companies could and could not do with user information. This meant that
Google Authenticator had to “be accountable for monitoring and protecting [user] data on a daily
basis” (Nadeau, 2020). This information included data such as user names, identities, or IP
addresses. This provides for an interesting paradox; the primary purpose of Google
Authenticator is to protect vulnerable user data from hackers, so one might find it ironic that an
app created to protect user data is also subject to regulations meant to protect user data.
Another significant policy that Google Authenticator is subject to is the California
Consumer Privacy Act (CCPA) which was enacted in 2018. This act “creates new consumer
rights relating to the access to, deletion of, and sharing of personal information that is collected
by businesses” (“The California Consumer Privacy Act”, 2020). Both the GDPR and CCPA
affect user experience in the sense that they provide users with more authority over their private
information. Users are also guaranteed the right to be knowledgeable and aware of the
information being collected about them. Within the Google Authenticator experience, users
therefore have the ability to filter the information being collected about them, and to determine
whether or not to disclose the information to businesses and outside organizations.

Amplification

All in all, the Google Authenticator is an amplifier of social change because it

encourages users to consider the prevalence of online security threats through its provision of
dual-factor authentication, and gives users a tool and practice to better defend against those
threats. Many individuals fail to understand the true scope of danger in selecting “weak”
passwords or repeating passwords for multiple accounts. Google Authenticator provides users
with an easy tool to better protect their accounts, while also promoting better security methods.
For example, people who use Google Authenticator are likely to use dual-factor authentication
for more of their accounts in the future. Online information is better protected and less
vulnerable, especially for users who frequently use library computers or other public networks.
In contrast, although Google Authenticator by nature promotes better account security, the
greater sense of confidence in the protection of accounts could result in less vigilance of users
in controllable aspects of their accounts like creating strong passwords or creating unique
passwords for different accounts. Users could also become increasingly and dangerously more
dependent on their mobile devices as a result of the necessity of Google Authenticator in
account access.

APA Works Cited

California Consumer Privacy Act (CCPA). (2020, February 10). Retrieved from
https://oag.ca.gov/privacy/ccpa

Nadeau, M. (2019, May 29). What is the GDPR, its requirements and facts? Retrieved from
https://www.csoonline.com/article/3202771/general-data-protection-regulation-gdpr-
requirements-deadlines-and-facts.html