Google Adds Two-Factor Authentication to Apps Accounts

Google has added a two-factor authentication mechanism to the login procedure for its Google Apps offerings, hoping that the addition will help cut down on the amount of fraudulent activity on these accounts.

The way that Google has chosen to approach the problem of two-factor authentication is somewhat novel, as it's a twist on the old out-of-band authentication technique that's been in vogue for a few years now, especially in online banking applications. In most cases, that involves users entering their username and password and then using a one-time password that is generated by a token provided by the bank or a similar code sent by the bank via SMS.

Google's approach is somewhat different. The company said on Monday that Google Apps customers will be able to generate a one-time password via an app installed on their smartphones, whether BlackBerry, iPhone or Android device.

"When signing in, Google will send a verification code to your phone, or let you generate one yourself using an application on your Android, BlackBerry or iPhone device. Entering this code, in addition to a normal password, gives us a strong indication that the person signing in is actually you. This new feature significantly improves the security of your Google Account, as it requires not only something you know: your username and password, but also something that only you should have: your phone. Even if someone has stolen your password, they'll need more than that to access your account," said Travis McCoy, product manager on Google's security team, in a blog post Monday.

"Building the technology and infrastructure to support this kind of feature has taken careful thought. We wanted to develop a security feature that would be easy to use and not get in your way. Along those lines, we're offering a variety of sign in options, along with the ability to indicate when you're using a computer you trust and don't want to be asked for a verification code from that machine in the future."

One time passwords via SMS are popular because they work “out of band,” that is, they don’t rely on the same communications channel (for example, the Internet) to send the one time password. Also, customers like them because they rely on a technology everyone possesses and don’t require users to carry a separate physical token, such as a USB stick, one time password generator or smart card.

However, the use of one time passwords via SMS isn’t foolproof. Security experts have noted that session based tokens won’t protect online sessions from man in the middle attacks if the machine running the sensitive application has been compromised by a Trojan, which can simply wait  for the user to enter the one time password before inserting itself into the transaction. And, as more mobile devices sport Web browsers, experts wonder about the degree to which one time passwords sent via SMS can be considered ‘out of band.’

Authentication and authorization have become serious challenges in the world of Web applications, as more and more users are storing large amounts of personal data on the Web. This includes not just email and attachments, but personal financial records and other sensitive information. Attacks against Web apps and man-in-the-middle attacks that enable the theft of banking credentials are now a favored tactic for attackers looking for a simple way to go where the money is.

Google's approach to the problem may well be a harbinger of things to come, as smartphones become the default computing devices for many users.

Commenting on this Article is closed.