By Seth Weintraub
September 20, 2010

‘Two-factor authentication’ may  satisfy the security concerns of many CIOs but it adds a burden to users.

Google’s Enterprise blog announced that some customers would soon have the ability to add two-factor authentication to their Apps accounts.  This service is now available for government and premier customers and will  roll out to all Apps users and Gmail users in the coming months.

It is an opt-in service. Users identify their home computers  only once for authentication.  Company Apps administrators may not be as lax, however.  Once enabled by an administrator, end users can set up the security feature in the accounts tab in Gmail settings.

Google explains:

Two-step verification is easy to set up, manage and use. When enabled by an administrator, it requires two means of identification to sign in to a Google Apps account, something you know: a password, and something you have: a mobile phone. It doesn’t require any special tokens or devices. After entering your password, a verification code is sent to your mobile phone via SMS, voice calls, or generated on an application you can install on your Android, BlackBerry or iPhone device. This makes it much more likely that you’re the only one accessing your data: even if someone has stolen your password, they’ll need more than that to access your account. You can also indicate when you’re using a computer you trust and don’t want to be asked for a verification code from that machine in the future.

This is a big step for organizations that aren’t comfortable with the single sign-on method of verification that Google currently employs.  By adding the additional step (and tying it with a mobile device) Google will satisfy a much broader swath of corporate IT standards, especially in banking and government.

The downsides are few but significant.  Users obviously won’t be excited about another authentication step that involves pulling a device out of their pocket and firing up an app.

Google also allows the password to be sent over SMS.  While that makes just about any mobile device made in the last ten years a way of authentication, it also could add SMS charges if your carrier charges by text.

Another downside is that getting your phone stolen is now a key in getting into your e-mail, though you’ll likely be able to remote-wipe your phone.  Theives will still need your original password to get into your e-mail.

Google notes its own security creds:

Two-step verification continues Google’s stream of security innovation. In early 2009, we added the ability to view password strength and set minimum password length requirements for Google Apps accounts. Later in the year we were the first to provide HTTPS encryption to millions of users, and in 2010 Google Apps was the first cloud messaging and collaboration service to gain U.S. government security certification.

You May Like