Google Apps, now with two-step verification security

In an effort to help companies and businesses using Google Apps gain more confidence in cloud security, Google announced the availability of a new security option, two-step verification, which will increase security across the entire Apps platform if enabled. The optional functionality, as explained on the Official Google Enterprise Blog, makes users identify themselves using two pieces of information: something they know (a password), and something they own (a mobile device). Since many security administrators no longer feel that entering a password is good enough verification anymore, two-step verification sends an authentication code to your mobile phone after you enter your password. Only when you enter that code into the second step of the login process are you granted access to your account.

While this is by no means a foolproof method of security--and let’s face it, there is no such thing--this solution makes it much more likely that the user authenticating is the right one. It is also a low-cost, easy to implement solution, that uses already purchased assets (going on the assumption that account owners have a mobile device of some sort) to provide an otherwise expensive increase in security.

Perceiving a potential pitchfork-and-torch mutiny from the users who will have to take out their phones every time they login, the new security layer offers an option to trust a computer, giving the computer the ability to ask only once for step two, and then only for regular password authentication going forward. 

Report a problem with article
Previous Story

MPAA, RIAA websites fall victim to 4chan-coordinated DDoS attack

Next Story

Blackberry Storm 3 spotted, sporting a 3.7" screen

11 Comments

Commenting is disabled on this article.

I use this for Verisign already on my Android phone (which works with eBay + Paypal). We also use an RSA SecurID for VPN access at work, which works the same way ... so yeah, this is good news that more companies are going this route.

I'd love to see an OpenID implementation to support two factor authentication of really any kind. It'd be nice to have a global authority on those things, you'd register a generic RSA key, or smart card, or whatever with some global provider, and then it's allowed to be accepted as a token into your account.

The sad thing is that I can do this with World of Warcraft, or Starcraft II, but I can't do it with my Hotmail account or Yahoo. It's ridiculous and stupid.

Hercules said,
I'd love to see an OpenID implementation to support two factor authentication of really any kind. It'd be nice to have a global authority on those things, you'd register a generic RSA key, or smart card, or whatever with some global provider, and then it's allowed to be accepted as a token into your account.
Oh you mean like "one hack to own them all"?

Glassed Silver:win
The sad thing is that I can do this with World of Warcraft, or Starcraft II, but I can't do it with my Hotmail account or Yahoo. It's ridiculous and stupid.

Ridlas said,
Password>RSA SecurID passcode + RSA SecurID keyfob digits.

Its what we use at work. Works flawlessly.


Yeah I've got one of those too from work. I agree, works great.

Perceiving a potential pitchfork-and-torch mutiny from the users who will have to take out their phones every time they login, the new security layer offers an option to trust a computer, giving the computer the ability to ask only once for step two, and then only for regular password authentication going forward.

Ha. I wonder if it will have the same ridiculous "workaround" that Bank of America has on their website:

If you select the Safepass option, it remembers which computer you regularly login from. And if you try to login from somewhere else, it will ask to send a message to your phone with a code you have to enter.

Now to completely bypass that system, all you have to go is go to BoA's mobile website and it will remember your computer as an "authenticated" one.