Google has added a two-factor authentication mechanism to the login procedure for its Google Apps offerings, hoping that the addition will help cut down on the amount of fraudulent activity on these accounts.

The way that Google has chosen to approach the problem of two-factor authentication is somewhat novel, as it’s a twist on the old out-of-band authentication technique that’s been in vogue for a few years now, especially in online banking applications. In most cases, that involves users entering their username and password and then using a one-time password that is generated by a token provided by the bank or a similar code sent by the bank via SMS.

Google’s approach is somewhat different. The company said on Monday that Google Apps customers will be able to generate a one-time password via an app installed on their smartphones, whether BlackBerry, iPhone or Android device.

“When signing in, Google will send a verification code to your phone, or
let you generate one yourself using an application on your Android,
BlackBerry or iPhone device. Entering this code, in addition to a normal
password, gives us a strong indication that the person signing in is
actually you. This new feature significantly improves the security of
your Google Account, as it requires not only something you know: your
username and password, but also something that only you should have:
your phone. Even if someone has stolen your password, they’ll need more
than that to access your account,” said Travis McCoy, product manager on Google’s security team, in a blog post Monday.

“Building the technology and infrastructure to support this kind of
feature has taken careful thought. We wanted to develop a security
feature that would be easy to use and not get in your way. Along those
lines, we’re offering a variety of sign in options, along with the
ability to indicate when you’re using a computer you trust and don’t
want to be asked for a verification code from that machine in the
future.”

One time
passwords via SMS are popular because they work “out of band,” that is, they
don’t rely on the same communications channel (for example, the Internet) to
send the one time password. Also, customers like them because they rely on a
technology everyone possesses and don’t require users to carry a separate
physical token, such as a USB stick, one time password generator or smart card.

However, the use of one
time passwords via SMS isn’t foolproof. Security experts have noted that
session based tokens won’t protect online sessions from man in the middle
attacks if the machine running the sensitive application has been compromised
by a Trojan, which can simply wait  for the user to enter the one time password
before inserting itself into the transaction. And, as more mobile devices sport
Web browsers, experts wonder about the degree to which one time passwords sent
via SMS can be considered ‘out of band.’

Authentication and authorization have become serious challenges in the world of Web applications, as more and more users are storing large amounts of personal data on the Web. This includes not just email and attachments, but personal financial records and other sensitive information. Attacks against Web apps and man-in-the-middle attacks that enable the theft of banking credentials are now a favored tactic for attackers looking for a simple way to go where the money is.

Google’s approach to the problem may well be a harbinger of things to come, as smartphones become the default computing devices for many users.

Categories: Web Security