This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Google adds two-factor authentication to login process, with one-time passwords offered via mobile phones

Share this article:

Google has extended its verification offering to add two-factor authentication to its account users.

The offering, called ‘2 –step verification', allows users to login using a password and a one-time passcode obtained using their phone. The process involves a user signing in as normal and then encountering a second page that will prompt them for a code when they sign into their account.

This one-time password can be from a call from Google, via an SMS message or by a mobile application on an Android, BlackBerry or iPhone device.

Nishit Shah, product manager at Google Security, said: “It is an extra step, but it is one that significantly improves the security of your Google account because it requires the powerful combination of both something you know (your username and password) and something that only you should have, your phone.

“A hacker would need access to both of these factors to gain access to your account. If you like, you can always choose a ‘remember verification for this computer for 30 days' option, and you would not need to re-enter a code for another 30 days. You can also set up one-time application-specific passwords to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code.”

Security blogger Brian Krebs said that he found the 2-step verification setup process to be quick and painless, if a little involved. He said: “I choose to set it up to call my Skype line and read the code aloud and the call came in three seconds after I hit the submit button. The setup wizard then gave me ten backup codes to use in cases when for whatever reason I don't have access to my Skype account. Another setup page offered the ability to add a secondary backup phone to send the code via SMS/text message, or automated voice message.

“This feature is undoubtedly a useful tool for securing accounts; the challenge will be making users aware of the option. For now, the option to enable it is tucked inside of the ‘user settings' panel in Gmail, an area into which many users probably never venture.

“Many users probably will end up locking themselves out of their accounts, despite the availability of multiple means of obtaining a secondary code that Google has offered. On top of that, threats to mobile devices or cleverly designed social engineering attacks could still trick users into giving away the codes. Still, the 2-step verification process is more robust than many banks are offering their customers for online authentication these days.”

Marcus J. Ranum, CSO of Tenable Network Security, said: “What Google has done is wonderful because it doesn't merely ask for ‘something you know and something you have', it wants ‘something you know and something you value a lot'. In the past we have seen that people are willing to give away an authentication credential in return for very little, but most people will be much more precious about hanging onto their phone.

“Even more importantly, a mobile phone is a high value item so a spammer would have to buy a new phone each time one of their accounts got shut down and the associated mobile phone got blacklisted. What that does is brings a high external cost into the equation. This is a very good move.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

WordPress: a new security flaw revealed

WordPress: a new security flaw revealed

Updating of WordPress versions advised to avoid exposure to new vulnerability

57% of UK adults want a Digital Bill of Rights

57% of UK adults want a Digital Bill ...

While there is now dissatisfaction with web security and calls, led by Sir Tim Berners-Lee, for a Digital Bill of Rights in the UK, commentators do not believe it would ...

US DoJ arrests four men - charges them in connection with $100m worth of hacking IP losses

US DoJ arrests four men - charges them ...

Third-party vendor route for hackers grants access to US government, Microsoft and games manufacturers.