How secure are App key's or API key's in a 2FactorWorld ?

Just today checking my email and I see Apple Mail struggling to send out a reply email over SMTP protocol. Not sure why smtp.gmail.com is acting up tonight. Moreover my old gmail and my google apps account which has my stepvda.net domain are not both doing the same. One appears to be working the other not. Quickly googling around I immediately find the answer on support.google.com: https://support.google.com/mail/thread/25935005?hl=en By means of this few months old support article Google is recommending the use of an app key instead of two factor authentication. As an interesting sidenote, Google's search prioritizes information around this issue for people seemingly using 2FA which it can do as it can know I use it as I am logged in with my Google account when I search the web. I'm pretty sure I remember this approach being suggested by Google as well way back when Apple Mail could not yet support 2FA and app key's were suggested as a temporary workaround until Apple also would support Google's 2FA authentication tokens. At the time it was in a nicer looking "how to setup your account on mac" page whereas now we have to rely on search results and the unavoidable Google Assistant (see afterword on Google Assistant)

We are now all securing our lives, yes not just our digital lives, with two factor authentication. However the moment some app doesn't seem to like 2FA, even for a brief moment, we are not worried at all to abandon it for something, hopefully equally secure, or why not even more secure because it sounds newer then 2FA?

Why would an app key be different from 1-fator-authentication or username and password? Simple answer: it is not. App key's are in fact dangerous. Smart companies know this so they mitigate. You get a whole bunch of options to limit what an app key can actually do. Seems like every button on the screen can be linked to an app key access setting. What to choose now? Tonight I really just want to do email in my faithful Apple Mail client on MacOS. I could jump to a browser to mail.google.com and often I do. But somehow getting an overview of all my emails in a way that I find them actionable isn't working for me on Google Apps Mail. On the other hand search is great. Whatever I tried on Apple's spotlight, Google's email search trumps it every time. It's quicker, more accurate, spans more data and indexes are richer going far beyond the contents of every email attachment. So I use different tools for different purposes with the same account. Still I should only do anything as long as it is secure. We've had 2FA for our banking applications, frankly as long as anyone can remember. Some, like me, started to use it on the job almost on contract signing day with an RSA fob. 2FA is proven, and still somewhat practical so we must stick to it.

We add more and more complexity to those apps we use and depend on every day but we don't stop enough to ask what does that new cool feature actually mean for how secure an app will still be or not? Do I understand:

• What access rights it has?
• What actions it can perform?
• On who's behave it can do or access what data?
• What do those "third parties" with "minimalistic" data access do with your data?
• How easy it is to trace what was done with access that you granted to your account?
• Can I quickly revoke any access I give?

Sounds a bit nitty-gritty you might think. But what if things go horribly wrong. Suppose someone or even some-bot, manages to get hold of such an app-key that has access to read, send, delete any email on your account? How cooperative are Google, Apple, Github even LinkedIn when somebody does steal your identity? Will they give you detailed IP's addresses, maybe mac-addresses, maybe web server logs filtered to your account activity? After all isn't this is all PII? Once authorities have to get involved will they then finally grant request for the above which is actually just the law?

Does not having an "app" to access a server log constitute reason enough for refusing the law? The answer, no one has a clue. It is simply easier to say to customers that it is not allowed, not possible, not legal, not PII, then to try a little harder. At some point however "the shit will hit the fan" and a case will be presented in front of, I'm speculating here, a US-court. A judge, jury or even Grand-Jury, will speak its mind. Big tech, even presidents will read carefully and fall in line.

Before all that we might have to listen to some rumble in the jungle of lower court rooms in various countries and various unions (US, UK, EU,...). Creative legal minions will come up with new ways to confuse the issue. Many things will be tried to make us not remember that there's always a genie in "the bottle" as there is a "spirit behind each law" (intentionally sticking to the literal translation of my somewhat native Dutch). When you poke a genie too much, he, or she, gets upset. When a genie gets upset, it costs.

Afterword on Google Assistant

So if you are still reading you also might know we are entering the "Age of the Bot". Friendly digital assistants like Google's Assistant or Alexa, Siri and more polite digital friends are here to help.

Just the other day Lex Fridman reminded me of Microsoft's "Clippy", the friendly paperclip floating over your Word application kind of annoying eating up the "fast"-ness of your now ancient PC. More on Lex's youtube blog: https://www.youtube.com/user/lexfridman. Lex will have to forgive for not finding back the exact blog but at least you have his youtube channel.

We didn't call Clippy an AI back then, we called it annoying. Today Google gives us the Assistant. I will let you read my intimate conversation with this chatbot for a little while...

While you were reading this intimate conversation and otherwise completely besides the point: It took me long enough figuring out you can also just upload an image in this new linkedin publishing thing. Meanwhile I also learned how to embed a link from my own content delivery network, so feel free to download the same screenshot here: https://south.stepvda.net/google_assistant_admin_help_apple_mail.png Embedding it with preview clearly needs some work (heads up to linkedIn, euhm euhm).

Back to the afterword, not only does Google's Assistant no longer give you the nice and easy to use "how to" instruction but it only seems to rely on what other users, meaning us, write. When doing so, it's convinced I must get an answer in a French support article because I live in Belgium and my account details in Google Apps tell it I speak Dutch, French, English, learning German, but really online I always set anything to plain English. Plain English being offcourse different from UK English, London being only 500km, that's 310miles, away from my hometown Brussels and also different from US English which I used to prefer above colours and tomaaaaatos because now we have airplaine English, PC English and International English. No wonder a bot gets confused.

(disclaimer: No linkedin, as much as I like you, the content of this article does not belong to you. I wrote it. No legal statement you can make me skim, like you skim milk, will make me believe, or any court room believe, that you have any intellectual property over this article, post or also referred to as the above.)