Mobile codes to boost Google account security
A two-step verification feature is designed to serve as an additional roadblock for phishers who have managed to steal people's Google Apps passwords.
Google is making it harder for Gmail and other Google Apps accounts to get compromised by adding an optional feature that will send a security code to your smartphone for logging in.
The two-step verification feature will be available to Google Apps premier, education, and government customers on Monday, and to the hundreds of millions of individual Google users in coming months, as a built-in part of the free service, a Google product manager told CNET.
Until now, Google accounts have been protected only with passwords, which are susceptible to phishing and other social-engineering attacks.
The two-step verification feature will put an additional roadblock in the way of online criminals by generating a onetime six-digit code that will be sent to the account holder in order to be able to successfully log in. The code will be sent after the password is provided.
This type of two-factor authentication--something you know (password) and something you have (smartphone with code)--is similar to smart cards and tokens, except that the code is accessed on a piece of hardware you most likely already carry.
Google users will sign up for the service through the Settings page and will be able to specify whether they want to get the security code sent to them via text message or automated voice call, or through a Google Authenticator app they can download to their Android device, BlackBerry, or iPhone. The code is randomly generated and changes every few minutes.
Many people might find it inconvenient to have to check their phone and type in an additional code every time they want to check their Gmail. To solve this problem, Google has made it so that people using the same computer to access their accounts can check a box to "remember verification for this computer" so that they won't be asked for a code on that computer for a month.
And for those who are happy with their one-factor password security, they don't have to opt in to this new feature. Google Apps enterprise administrators will be able to turn the feature on for any user in the organization.
The impetus for the feature came about a year and a half ago, when Google engineers asked themselves, "what's the single thing we can do to improve the security for our users the most?," said Travis McCoy, a security product manager at Google.
Google is open-sourcing the software so companies can do customization and port the app to other platforms. Google also is using an open standard to generate the codes so "vendors can offer a token that will work with Google Apps," McCoy said.