Google has introduced a new two-step authentication feature for Gmail users that it says will significantly increase the security of the free mail service. The system enables users to set up a method for obtaining a secret code that will be required, along with a password, to access a Gmail account.
The new two-factor authentication system is a voluntary program right now, although it could become mandatory at some point in the future. Gmail, like virtually all other webmail services, has been a frequent target of attacks, both sophisticated and mundane, aimed at hijacking users’ accounts. The most famous of these was an attack that was part of the Aurora operation against Google and others, part of which targeted the Gmail accounts of Chinese dissidents.
Under the new authentication system for Gmail, which the company announced today, users will have the option in their Account Settings page of enabling a setting that will require them to enter a code as well as a password. Google will send that code to the user via SMS or a phone call. Users also will have the option of installing an app on the mobile device that can generate the code locally.
“Once you enable 2-step verification, you’ll see an extra page that
prompts you for a code when you sign in to your account. After entering
your password, Google will call you with the code, send you an SMS
message or give you the choice to generate the code for yourself using a
mobile application on your Android, BlackBerry or iPhone device. The
choice is up to you. When you enter this code after correctly submitting
your password we’ll have a pretty good idea that the person signing in
is actually you,” the company said.
“It’s an extra step, but it’s one that significantly improves the
security of your Google Account because it requires the powerful
combination of both something you know—your username and password—and something that only you should have—your phone. A hacker would need access to both of these factors to gain access to your account.”
The system is similar in intent to ones used by some banks to offer an extra measure of security for online banking. Some banks allow users to select a picture that they then must identify during the login process, along with entering a username and password, while others allow users to set up an SMS verification system like the Gmail method. The Gmail system follows on the heels of a similar one that Google introduced for Google Apps recently.