This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Google adds two-factor authentication to Gmail via SMS one time passwords

Share this article:

Google has announced that it is to add two-factor authentication to its mobile applications and Gmail.

This will mean that Google Apps, including Gmail, will feature a two-step verification process which will require users to input a user ID, password and six-digit code sent which is sent to their mobile phones.

Google Security product manager Travis McCoy, said that it was looking for a way to prevent Google account takeovers due to weak or stolen passwords. He said: “We wanted to look and see what single area could we work on that would have the greatest impact on user security. We found user names and passwords often end up being the weak link in the chain in terms of how accounts are being compromised.”

Security blogger Brian Krebs commented that this effectively means that Google will be offering more secure authentication than many US financial institutions currently provide for their online banking customers.

He said: “I find it remarkable that Google will soon be offering for free a level of security authentication that many banks don't yet afford their customers for online banking, even when those customers are willing to pay extra for it.

“While cyber thieves increasingly are defeating multi-factor authentication approaches like the one Google is offering and this offering also will do nothing to stop phishing attacks that trick users into entering credentials at fake Google online properties. It is more robust than requiring a simple user name and password, which is more or less what many commercial banks rely on right now.”

Gartner analyst Avivah Litan said that this was a first step, but a lot more need to be taken. She said: “Before we all get too excited, note that the one time password generated by or sent to the mobile phone is simply entered by the user into the user's PC browser in order to log into Google Apps.

“This authentication method has long been beaten by banking Trojans like Zeus, in other words, a man-in-the browser attack will simply sit there in the browser until the user enters the password and will then go do its malicious thing.

“So while the new authentication method may placate the masses by requiring more than just a password for log in to cloud applications, it will do little if anything to stop determined fraudsters from taking over user and customer accounts. Sure, security layers are a good thing but don't get deluded into thinking this method is enough.”

Marcus Ranum, CSO of Tenable Network Security , welcomed the move claiming that what Google has done ‘is wonderful because it isn't merely something you know and something you have, it is something you know and something you value a lot.'

He said: “We have seen in the past that people are willing to give away an authentication credential in return for a chocolate bar, but most people are strongly acculturated to hang onto their phones.

“Even more importantly, a mobile phone is a high value item so a spammer would have to buy a new phone each time one of their accounts got shut down and the associated mobile phone got blacklisted. What that does is brings a high external cost into the equation. It's a very good move."

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

SharePoint users break own security rules

SharePoint users break own security rules

Privilege controls can work, but cannot cater for all eventualities, says Quocirca analyst Rob Bamforth.

Heartbleed slows down the internet

Heartbleed slows down the internet

As Hearbleed slows down the internet, experts say that two-factor authentication may the way forward to protect our web sessions.

Biometric data collection sparks privacy debate

Biometric data collection sparks privacy debate

You could be implicated as a criminal suspect, just by virtue of having that image in the non-criminal file, says the Electronic Frontier Foundation (EFF).