This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Google adds two-factor authentication to login process, with one-time passwords offered via mobile phones

Share this article:

Google has extended its verification offering to add two-factor authentication to its account users.

The offering, called ‘2 –step verification', allows users to login using a password and a one-time passcode obtained using their phone. The process involves a user signing in as normal and then encountering a second page that will prompt them for a code when they sign into their account.

This one-time password can be from a call from Google, via an SMS message or by a mobile application on an Android, BlackBerry or iPhone device.

Nishit Shah, product manager at Google Security, said: “It is an extra step, but it is one that significantly improves the security of your Google account because it requires the powerful combination of both something you know (your username and password) and something that only you should have, your phone.

“A hacker would need access to both of these factors to gain access to your account. If you like, you can always choose a ‘remember verification for this computer for 30 days' option, and you would not need to re-enter a code for another 30 days. You can also set up one-time application-specific passwords to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code.”

Security blogger Brian Krebs said that he found the 2-step verification setup process to be quick and painless, if a little involved. He said: “I choose to set it up to call my Skype line and read the code aloud and the call came in three seconds after I hit the submit button. The setup wizard then gave me ten backup codes to use in cases when for whatever reason I don't have access to my Skype account. Another setup page offered the ability to add a secondary backup phone to send the code via SMS/text message, or automated voice message.

“This feature is undoubtedly a useful tool for securing accounts; the challenge will be making users aware of the option. For now, the option to enable it is tucked inside of the ‘user settings' panel in Gmail, an area into which many users probably never venture.

“Many users probably will end up locking themselves out of their accounts, despite the availability of multiple means of obtaining a secondary code that Google has offered. On top of that, threats to mobile devices or cleverly designed social engineering attacks could still trick users into giving away the codes. Still, the 2-step verification process is more robust than many banks are offering their customers for online authentication these days.”

Marcus J. Ranum, CSO of Tenable Network Security, said: “What Google has done is wonderful because it doesn't merely ask for ‘something you know and something you have', it wants ‘something you know and something you value a lot'. In the past we have seen that people are willing to give away an authentication credential in return for very little, but most people will be much more precious about hanging onto their phone.

“Even more importantly, a mobile phone is a high value item so a spammer would have to buy a new phone each time one of their accounts got shut down and the associated mobile phone got blacklisted. What that does is brings a high external cost into the equation. This is a very good move.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

VC cyber security funding tops £850 million

VC cyber security funding tops £850 million

A new study from US-based research firm CBI Insights reveals that corporate cyber security investments have risen five-fold since 2009, with 30 percent growth in the last year alone.

Russian/Chinese cyber-security pact raises concerns

Russian/Chinese cyber-security pact raises concerns

News that Russia and China are set to sign a cyber-security treaty next month have left Western cyber experts unsure whether it is a threat or a promising development.

UK police arrest trio over £1.6 million cyber theft from cash machines

UK police arrest trio over £1.6 million cyber ...

London Police have arrested three suspected members of an Eastern European cyber-crime gang who installed malware on more than 50 bank ATM machines across the UK to steal £1.6 million.