Google Adds 2-Factor Security to Gmail, Apps – Krebs on Security

Google said today that it will begin offering users greater security protections for signing in to Gmail and other Google Apps offerings. This “two-step verification” process — which requires participating users to input a user ID, password and six-digit code sent to their mobile phones — effectively means Google will be offering more secure authentication than many U.S. financial institutions currently provide for their online banking customers.

The search giant will be making the technology available to its enterprise (paying) customers immediately, and it will be free to consumers within the next few months.  Users who choose to take advantage of the technology can have the codes sent via text message or a special Google mobile app. All devices that are successfully authenticated can then be set to not require the two-step process for the next 30 days.

Travis McCoy, product manager of Google Security, said the company was looking for a way to prevent Google account takeovers made possible by weak or stolen passwords.

“We wanted to look and see what single area could we work on that would have the greatest impact on user security,” McCoy said. “We found user names and passwords often end up being the weak link in the chain in terms of how accounts are being compromised.”

Companies that have moved to require hardware-based two-factor authentication often build in backup or failsafe systems in case customers choose to use the added security but don’t have access to the device that provides that second factor. PayPal, for example, lets users require the input of a one-time password generated from a battery-operated key fob supplied by the online payment provider; customers who need access to their account but don’t have the key fob with them can still get at their money by correctly answering a series of challenge questions.

Similarly, Google also offers an alternative failsafe by providing each user a set of five one-time access codes that are specific to an account. Google enterprise users can simply have their administrator temporarily disable the secondary authentication layer if they can’t access their phones (for example, if the phone is lost, stolen, or has a dead battery).

I find it remarkable that Google will soon be offering for free a level of security authentication that many banks don’t yet afford their customers for online banking, even when those customers are willing to pay extra for it. While cyber thieves increasingly are defeating multi-factor authentication approaches like the one Google is offering — and this offering also will do nothing to stop “phishing” attacks that trick users into entering credentials at fake Google online properties — it is more robust than requiring a simple user name and password, which is more or less what many commercial banks rely on right now.

I was reminded of this last night, when I was contacted by a businessman who owns a dining establishment less than two miles from my home. His business recently lost almost $50,000 when cyber thieves broke into an employee’s computer and stole the user name and password for the company’s online banking account. I’ve agreed not to name the company or its bank because the bank may be willing to offer a partial settlement if the businessman agrees not to publicize the case or file a lawsuit. But the only thing separating the thieves from this victim’s cash was a user name and a password.

Google’s new offering may actually be able to help to avoid this pitfall. McCoy said the company’s mobile app will run on an open standard designed to integrate with third-party authentication technologies. While many banks have shied away from moving to requiring security tokens and one-time passwords due to the high cost of purchasing, distributing and maintaining these devices, a solution that lives on the customer’s mobile phone could be a no-cost, little-hassle way to address those concerns.