Google Has People Talking About Two-Factor Authentication

Earlier this week, Eran Feigenbaum, Director of Security for Google Apps posted this on the Google Enterprise Blog. In an effort to attain greater acceptance among enterprise IT departments, Google has added a second factor – in this case a code transmitted to a registered wireless devices as an SMS-based text message – to its log-in procedures. Matt Cutts, a Google Engineer who heads up the spamware team, offers some great background here.

It is a major development, even though Google first started using SMS-based one-time-passwords (OTPs) back in March, using technology from Arcot Microsoft introduced its flavor of text-based OTP in May.

Google will send out authentication codes by SMS (Short Message Service) or voice message free of charge in 19 countries including Australia, Denmark, France, Germany, the Netherlands, Sweden, the U.K. and U.S. The authentication codes can also be generated locally using a smartphone app called Google Authenticator, available as a free download from the Android, BlackBerry or iPhone app stores.

The message that is being reinforced by Google this time around is that “access to systems based on PINs or passwords is not secure.” If they think about it for very long, they should see that transmission of text-based OTP’s are only secure if the right person is in possession of the phone in question. So I’m hoping that, soon enough, they’ll get serious about authenticating the phone’s owner, not just the device. That’s when voice-based authentication will be much more interesting.



Categories: Articles

Tags: , , ,