Google adds two-factor authentication to Gmail via SMS one time passwords
Google has announced that it is to add two-factor authentication to its mobile applications and Gmail.
This will mean that Google Apps, including Gmail, will feature a two-step verification process which will require users to input a user ID, password and six-digit code sent which is sent to their mobile phones.
Google Security product manager Travis McCoy, said that it was looking for a way to prevent Google account takeovers due to weak or stolen passwords. He said: “We wanted to look and see what single area could we work on that would have the greatest impact on user security. We found user names and passwords often end up being the weak link in the chain in terms of how accounts are being compromised.”
Security blogger Brian Krebs commented that this effectively means that Google will be offering more secure authentication than many US financial institutions currently provide for their online banking customers.
He said: “I find it remarkable that Google will soon be offering for free a level of security authentication that many banks don't yet afford their customers for online banking, even when those customers are willing to pay extra for it.
“While cyber thieves increasingly are defeating multi-factor authentication approaches like the one Google is offering and this offering also will do nothing to stop phishing attacks that trick users into entering credentials at fake Google online properties. It is more robust than requiring a simple user name and password, which is more or less what many commercial banks rely on right now.”
Gartner analyst Avivah Litan said that this was a first step, but a lot more need to be taken. She said: “Before we all get too excited, note that the one time password generated by or sent to the mobile phone is simply entered by the user into the user's PC browser in order to log into Google Apps.
“This authentication method has long been beaten by banking Trojans like Zeus, in other words, a man-in-the browser attack will simply sit there in the browser until the user enters the password and will then go do its malicious thing.
“So while the new authentication method may placate the masses by requiring more than just a password for log in to cloud applications, it will do little if anything to stop determined fraudsters from taking over user and customer accounts. Sure, security layers are a good thing but don't get deluded into thinking this method is enough.”
Marcus Ranum, CSO of Tenable Network Security , welcomed the move claiming that what Google has done ‘is wonderful because it isn't merely something you know and something you have, it is something you know and something you value a lot.'
He said: “We have seen in the past that people are willing to give away an authentication credential in return for a chocolate bar, but most people are strongly acculturated to hang onto their phones.
“Even more importantly, a mobile phone is a high value item so a spammer would have to buy a new phone each time one of their accounts got shut down and the associated mobile phone got blacklisted. What that does is brings a high external cost into the equation. It's a very good move."