“Two-factor authentication” may be the least sexy-sounding feature I’ve ever written about. But if you’ve ever worried about being phished or having your password hacked, it could be your best friend — because it makes it much, much harder for a hacker to break into your account. Today, Google is announcing that it’s bringing the security feature to its millions of users: the feature will be rolling out first for Google Apps Premiere, Education, and Government edition customers, with plans to bring it to all Google users (even those who aren’t using its Apps suite) in the next few months.
So what exactly is two-factor authentication? Most of the login systems you’ve probably used are only ‘one-factor’ — you enter one password and you’re in, but if that password gets compromised, you’re toast. More secure systems are common in large businesses, and often require both a password and a physical card or dongle to login — these are called ‘two-factor’ systems, because they require both your password and another key, and are far more secure because a hacker probably isn’t going to have that physical token. Unfortunately these security systems are generally quite expensive. But Google is bringing one to the masses.
Google’s system doesn’t require a physical keycard. Instead, it relies on your mobile phone. First, you need to activate the optional feature from your settings page (again, this is only available to certain Google Apps customers at first). Then, when you go to sign in to your Google account, you’ll first be asked to enter your password as usual. Next, you’ll be brought to a screen asking for a verification code (see the screenshot above).
The verification code comes from your mobile phone, which you’ve previously linked up to your Google Account. Google has built a ‘Google Authenticator’ application for Android, the iPhone, and Blackberry — fire up the application, and it will give you the six digit verification code that you enter back into your browser (the system can also send you a SMS message or give you the code via voice call).
That’s it. The entire process only takes a minute or so, but it’s much more secure because anyone wanting to access your account will also need access to your mobile phone. You can opt to require this two-factor authentication all the time, or you can elect to only require it one time per computer (in other words, you’ll only need to enter it once on your home PC and/or work computer).
Like I said, this may not sound sexy, but it’s a big deal. Given how much data users are storing on Google, and the fact that plenty of people still fall prey to phishing scams on a regular basis, this is a major step in helping keep users secure. This is all optional (unless your Apps administrator sets a policy requiring it), but I suspect Google will be making a push to urge users to take advantage of the new system as it begins rolling out more broadly.
The news will also make Google Apps an even more tempting proposition for security-conscious businesses (Google notes that prior to this release, it was also the first company to receive FISMA certification in the collaboration/document sharing space). To make this more appealing to businesses, Google is also open-sourcing its authentication apps, so businesses can create their own custom-branded versions.