More and more of our information and day-to-day activities are in the cloud. Email, file storage, pictures, personal data and the like are sitting in cloud-based applications. Most systems still use the old fashioned (some say quaint) practice of accessing these systems with a username and password. The problem is that all of it is subject to attack by all the hacking and phishing schemes for our passwords. It is not the most secure system, but it is convenient.
Fortunately Google is taking a big step forward with their new two-factor authentication for everyone who uses Google services. This feature has been available to Google Apps customers since last fall and it’s coming to a browser near you soon. The feature is an opt-in one (are you listening Facebook) and most of us should be seeing it in the next week or so.
So what is it? Two-factor authentication is a way to improve security by requiring your existing password and a short-lived verification code. The two factors are something you know, such as your password, and something you have, such as a physical token or ID card. You could also use biometric data, like a fingerprint; you see this in movies all time. This is not a new concept and many businesses have been using it for years. The common approach is to have a physical device that connects through a computer or a wireless network and generates a verification code. You enter the code and you are in.
For Google, you login into your account by entering your existing username and password. Google then sends a verification code to your mobile device or a standard telephone. You have to enter this code as a secondary login to access your account. The key is that this second code is only valid for a few minutes and is constantly changing. This makes it very difficult to phish and hack.
You generate this second code by having Google call you, send you a text message or by installing Google Authenticator on your smartphone or tablet. They have versions of Authenticator for Android, BlackBerry, iPhone, iPod Touch and iPad. According to Google, you need to be a bit web savvy to set it up, but they have some explicit instructions to do it.
Here is the example of how it will work.
How you sign in with 2-step verification
- When you want to access Google products from your browser, go to that product and enter your username and password.
- You’ll next be prompted to enter your verification code, which you’ll get from your phone. You’ll only have to do this once every 30 days if you so choose.
- Soon after you turn on 2-step verification, non-browser applications and devices that use your Google Account (such as Gmail on your phone or Outlook), will stop working. You’ll then have to sign in using your username and a special password you generate for this application. (Don’t worry, you’ll only have to do this once for each device or application.)
This last step is the only one that’s a bit complicated as you need to create an account specific password for each application. You only need to do this once for each application and device.
Google also has backup measures in case you lose your mobile phone. You can designate a backup telephone number just in case. Since you can receive the verification code by text, the smartphone app or a phone call, you have a lot of options.
To get started do the following:
- Log into your Google account
- Click on My Account and click “Using 2-step verification” under Security
- If it’s activated, it will appear and you can start the setup process. If it’s not available, it will be soon.
- Set up your primary phone. Instructions are here. Install Google Authenticator if you are using an Android, Blackberry or Apple iOS device.
- Add a backup phone.
- Record your backup codes. Google sends you 10 backup codes to use instead of the verification code in case you are not near your phone and need to use your application. You can use each code once.
- Configure an app specific code for each device and Google application that you access without a browser.
- Configure all your applications with the one-time codes.
- Log into Google and use the 2 factor authentication.
It’s nice to see Google implementing this for their services since it’s a big improvement in security. With more businesses and consumers using GMail, Google Docs, Google Apps and other Google services, it should reduce the problem of data breaches through phishing schemes and hacking. Remember that this doesn’t relieve you of the responsibility to use a strong password as your primary and take steps to keep it secure. It just gives us another way to help secure our information. I hope other SaaS and cloud-based services follow Google’s lead.
Photo credit itbusinessca