Two-factor authentication for Google accounts goes live

As previously reported by Infosecurity, Google had planned to roll out a 2FA procedure for users of its online applications, which includes its popular Gmail web-based email service. The method, which generates a one-time, temporary second password, went live on Thursday and has been available to the Google enterprise customers for several months.

“We've developed an advanced opt-in security feature called 2-step verification that makes your Google account significantly more secure by helping to verify that you're the real owner of your account”, wrote Nishit Shah, product manager with Google Security, in a blog post. “Now it's time to offer the same advanced protection to all of our users.”

Shah said that setup for the opt-in feature can take up to 15 minutes and can be found under the settings page for each Google account. A set-up wizard will guide Google app users through the process, which includes linking the account to a phone number to receive the one-time temporary code. After going through the set-up process, an additional ‘verification code’ page will appear following the normal login procedure.

Google account users can opt to receive the code via voice or text, or they can choose to generate a one-time code using mobile apps for Android, BlackBerry, or iPhone.

Marcus Ranum, CSO at Maryland-based security firm Tenable Network Security, applauded the move by Google."Two factor authentication remains one of the coolest and smartest ideas in computer security”, he said. “The concept goes back to the 1980s, and few security ideas can claim to have such longevity.”

This simple method for 2FA, added Ranum, is bolstered by the fact that users have grown attached to their smartphones as being near-necessities of modern life. “In the past we've seen that people are willing to give away an authentication credential in return for very little, but most people will be much more precious about hanging onto their phone”, he continued.

"Even more importantly, a mobile phone is a high-value item, so a spammer would have to buy a new phone each time one of their accounts got shut down and the associated mobile phone got blacklisted. What that does is bring a high external cost into the equation. This is a very good move."

What’s hot on Infosecurity Magazine?