This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Google adds two-factor authentication to Gmail via SMS one time passwords

Share this article:

Google has announced that it is to add two-factor authentication to its mobile applications and Gmail.

This will mean that Google Apps, including Gmail, will feature a two-step verification process which will require users to input a user ID, password and six-digit code sent which is sent to their mobile phones.

Google Security product manager Travis McCoy, said that it was looking for a way to prevent Google account takeovers due to weak or stolen passwords. He said: “We wanted to look and see what single area could we work on that would have the greatest impact on user security. We found user names and passwords often end up being the weak link in the chain in terms of how accounts are being compromised.”

Security blogger Brian Krebs commented that this effectively means that Google will be offering more secure authentication than many US financial institutions currently provide for their online banking customers.

He said: “I find it remarkable that Google will soon be offering for free a level of security authentication that many banks don't yet afford their customers for online banking, even when those customers are willing to pay extra for it.

“While cyber thieves increasingly are defeating multi-factor authentication approaches like the one Google is offering and this offering also will do nothing to stop phishing attacks that trick users into entering credentials at fake Google online properties. It is more robust than requiring a simple user name and password, which is more or less what many commercial banks rely on right now.”

Gartner analyst Avivah Litan said that this was a first step, but a lot more need to be taken. She said: “Before we all get too excited, note that the one time password generated by or sent to the mobile phone is simply entered by the user into the user's PC browser in order to log into Google Apps.

“This authentication method has long been beaten by banking Trojans like Zeus, in other words, a man-in-the browser attack will simply sit there in the browser until the user enters the password and will then go do its malicious thing.

“So while the new authentication method may placate the masses by requiring more than just a password for log in to cloud applications, it will do little if anything to stop determined fraudsters from taking over user and customer accounts. Sure, security layers are a good thing but don't get deluded into thinking this method is enough.”

Marcus Ranum, CSO of Tenable Network Security , welcomed the move claiming that what Google has done ‘is wonderful because it isn't merely something you know and something you have, it is something you know and something you value a lot.'

He said: “We have seen in the past that people are willing to give away an authentication credential in return for a chocolate bar, but most people are strongly acculturated to hang onto their phones.

“Even more importantly, a mobile phone is a high value item so a spammer would have to buy a new phone each time one of their accounts got shut down and the associated mobile phone got blacklisted. What that does is brings a high external cost into the equation. It's a very good move."

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

4% of Googlebots are fake and can launch attacks

4% of Googlebots are fake and can ...

Admins' fear of damaging their SEO gives malicious search engine bots a 'VIP pass' into sites.

Brit Lauri Love faces more US hacking charges

Brit Lauri Love faces more US hacking charges

Lauri Love, a 29-year-old British man from Stradishall in Suffolk, has been charged by a US court with hacking into multiple US government computers and stealing more than 100,000 employee ...

More questions than answers as BBC outage fuels DDoS talk

More questions than answers as BBC outage fuels ...

The British Broadcasting Corporation was hit by a prolonged outage on its website and iPlayer video-on-demand service (VOD) last weekend, raising questions about the cause and whether it was subjected ...