Google adds two-factor authentication to login process, with one-time passwords offered via mobile phones

News by Dan Raywood

Google has extended its verification offering to add two-factor authentication to its account users.

Google has extended its verification offering to add two-factor authentication to its account users.

The offering, called ‘2 –step verification', allows users to login using a password and a one-time passcode obtained using their phone. The process involves a user signing in as normal and then encountering a second page that will prompt them for a code when they sign into their account.

This one-time password can be from a call from Google, via an SMS message or by a mobile application on an Android, BlackBerry or iPhone device.

Nishit Shah, product manager at Google Security, said: “It is an extra step, but it is one that significantly improves the security of your Google account because it requires the powerful combination of both something you know (your username and password) and something that only you should have, your phone.

“A hacker would need access to both of these factors to gain access to your account. If you like, you can always choose a ‘remember verification for this computer for 30 days' option, and you would not need to re-enter a code for another 30 days. You can also set up one-time application-specific passwords to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code.”

Security blogger Brian Krebs said that he found the 2-step verification setup process to be quick and painless, if a little involved. He said: “I choose to set it up to call my Skype line and read the code aloud and the call came in three seconds after I hit the submit button. The setup wizard then gave me ten backup codes to use in cases when for whatever reason I don't have access to my Skype account. Another setup page offered the ability to add a secondary backup phone to send the code via SMS/text message, or automated voice message.

“This feature is undoubtedly a useful tool for securing accounts; the challenge will be making users aware of the option. For now, the option to enable it is tucked inside of the ‘user settings' panel in Gmail, an area into which many users probably never venture.

“Many users probably will end up locking themselves out of their accounts, despite the availability of multiple means of obtaining a secondary code that Google has offered. On top of that, threats to mobile devices or cleverly designed social engineering attacks could still trick users into giving away the codes. Still, the 2-step verification process is more robust than many banks are offering their customers for online authentication these days.”

Marcus J. Ranum, CSO of Tenable Network Security, said: “What Google has done is wonderful because it doesn't merely ask for ‘something you know and something you have', it wants ‘something you know and something you value a lot'. In the past we have seen that people are willing to give away an authentication credential in return for very little, but most people will be much more precious about hanging onto their phone.

“Even more importantly, a mobile phone is a high value item so a spammer would have to buy a new phone each time one of their accounts got shut down and the associated mobile phone got blacklisted. What that does is brings a high external cost into the equation. This is a very good move.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews