Having recently made two-factor authentication available for Google
Apps customers, Google recently extended its more secure sign-on
mechanism to all Google Accounts.
Google calls the process two-step verification. It is intended to
reassure those who believe they need more than a mere password
standing between their online data and the cyber-thieves of the
world.
"Two-step verification requires two independent factors for
authentication, much like you might see on your banking Web site:
your password, plus a code obtained using your phone," explains
Google product manager Nishit Shah in a blog post.
The set-up process isn't ridiculously onerous, but it isn't
drop-dead easy either. Google suggests setting everything up may
take 15 minutes. Thoughtfully, users aren't entirely on their own:
Google provides a set-up wizard to guide people through the
necessary steps.
Turning two-step verification on is done through the "Using 2-step
verification" link on the Google Account Settings page. Users who
don't see any such link can expect it to be available within the
next few days.
Once enabled, a user who signs in with the Account password will be
presented with an extra Web page asking for a code. Google will
either generate an automated call with the code, send the code to a
mobile phone via SMS, or allow the user to generate the code using
an app on an Android, BlackBerry or iPhone device.
A particularly convenient feature is the ability to register a
backup phone to receive codes, in case one's primary phone get
stolen or is lost.
Additional security, however, should not be confused with foolproof
security. In late 2009, Gartner issued a research note recommending
further defenses beyond two-factor authentication. It seems
cyber-thieves have had some success bypassing two-factor security
schemes at some banks using man-in-the-middle attack techniques.
The fraudsters managed to have verification phone calls associated
with compromised accounts forwarded to their own phones.
But Google's decision to offer extra security to those who want it
represents a step in the right direction.
Matt Cutts, who runs Google's Web spam team, notes that two of his
relatives have had their Gmail accounts hijacked because someone
guessed their passwords.
"If someone hacked your Gmail account, think of all the other
passwords they could get access to, including your domain name or
Web host accounts," he wrote in a blog post.
While conceding that the extra security of two-step verification
may be an inconvenience, he insists it's worth the trouble. "I use
it on my personal Gmail account, and you should too," he said.