Recapping Google’s new two-factor authentication

I wanted to post about Google’s new two-factor authentication announcement. Two-factor authentication is something you have (e.g. a phone) and something you know (e.g. a password). It’s a Big Deal because if your account or business has two-factor authentication, those accounts are immediately less likely to be phished, hijacked, or otherwise abused. There’s a neat Google Authenticator application that runs on Android, iPhone, and Blackberry:

Google Authenticator Logo

For the “something you have,” Google provides lots of ways to authenticate:
– SMS, e.g. for cell phones
– a voice phone call, e.g. for landline phones
– authentication apps, e.g. for smartphones that might be abroad or not have a signal. Android, iPhone, and Blackberry phones are supported.
one-time/single-use codes that you can print out as a final fallback and put in your wallet, desk or a safety deposit box.

This announcement has a few bonus features. Here are some extra-good things that make me happy:
– Two-factor authentication will be offered on all Gmail accounts “in the next few months,” according to TechCrunch.
– You can authenticate a particular browser using cookies for 30 days per browser. So you don’t get bugged with a login message on a computer you use every day, like your home computer.
– Google open-sourced the Android authentication app and according to that page will open-source the iPhone app soon.
Drew Hintz mentioned in the TechCrunch comments that the Google Authenticator app uses RFC 4226, so a lot of this work is open stuff that people could take and build on.

Drew also does a great job debunking misconceptions in the TechCrunch comments:
Random commenter: Google wants my phone number? (insert too-much-data-conspiracy here)
Drew: Actually, you can use the app if you prefer not to provide a phone number

Overall, this is a great launch. I’ve seen the pain that a hijacked account can cause, over and over and over again. Don’t just protect yourself with a password. As soon as you can, add an extra layer of protection with two-factor authentication on your account. Two-factor authentication: it’s not just for World of Warcraft any more.

41 Responses to Recapping Google’s new two-factor authentication (Leave a comment)

  1. Always been happy with the landline ‘Voice Phone Call’ whenever I have needed to update anything; good service that keeps getting better.

  2. Good stuff, I’m excited about this as well.

    Many of us who worked in publishing or finance have used those FOB/RSA tokens – and I’ve always wanted to bring that level of security to my web apps. SMS+mobile apps seems like the best way to accomplish this.

  3. Thank you for pointing out the iPhone app. I assumed it wasn’t available because it’s not listed in mobile applications when I set up two-factor (only Android and Blackberry were mentioned). I found it in the iTunes Store and even thought the description of the iPhone app says it’s only “available for Premier and EDU Google Apps customers at this time”, I tried it and it seems to work. Thanks!

  4. I recently agreed to a two-factor authentication for a site. Haven’t had enough time to see if it’s worth the loss of privacy but Google is definitely sending mixed signals on privacy. I’m not trying to stir up the inevitable rude commentary with that — I just mean that there is a privacy cost involved in any measure that improves personal security. I think Google should acknowledge that cost in some way.

  5. I’m really excited Google’s launching two factor. World of Warcraft, of all things, has been providing two factor for years now and it works quite well. I’m glad that my Google account can have similar protection. Combine this with OpenID and we have a real win.

  6. I really dislike the reliance on phones here. A phone call, a phone text message, a phone app.

    It doesn’t seem to be accessible, it seems annoying to me, as someone who isn’t tied to a smart phone all day. To assume we all are, well, is an assumption.

    Likewise I dislike places that require you to frequently change your password. It is too much. A new password every x months, different from previous passwords, using letters, numbers, no dictionary words, and a different password for each service you’re using.

    Unless you’re an actual android you aren’t going to be able to remember your passwords, so you write them down, or store them in a file on your desktop. This is what normal people do when forced to have passwords normal people cannot remember. Especially when you have potentially dozens of logins at different places.

    So then, your careful security, amounts to a slip of paper or a postit note stuck to a monitor. Oops.

    A lot of banks do security very well, and that is what we should emulate. They don’t require you to change your password, they do other things, maybe two passwords. A password and a pin. ING does it very well. They use a custom picture with phrase that defeats phishing handily, without needing a phone. If you visit their website and don’t see your picture and custom phrase (different for everyone) you know it isn’t their website. They also have a keypad on screen allowing you to type in your pin with your mouse, instead of typing it, which defeats keyloggers. Then of course encrypted connections should defeat sniffing, and I’m sure their backend has brute force detectors to defeat cracking. Its pretty secure.

    That I think is the better way of doing account access security.

    Oh, of course phones get stolen all the time.

  7. Matt,

    Thank you so much for this announcement. I have been paranoid about this for years. I was about to switch to Google Apps Premium for my primary e-mail address to have access to a 24/7 support number in case I was compromised.

    Having a secure email account is so important. It is your virtual home. A break in can be devastating.

    Kyle

  8. Hmm.

    On the one hand this may help. My Gmail was hacked Thursday, and from the Twitter sphere it appears that I wasn’t the only one who spent the last few days trying to mop up the mess and warn friends I was being spoofed while trying to get Google to let me back in.

    On the other hand, that hacker changed my password, security question, alternate email and phone number within minutes (I was quickly alerted since I received concerned phone calls almost instantly.) Once they break in and alter all our info, this just makes it that much harder for us to convince Google that we’re the legitimate account user.

    I don’t know what the answer is. Privacy versus security is a real challenge. I know you can’t look at people’s email, but at the same time, when the same word-for-word identical Phishing email is spewing out of multiple Gmail user accounts to every contact on their list, all sent from a Nigerian IP address, all right after all the security info has been changed on those accounts, isn’t there some way to flag that as “suspicious”?

  9. Stupid question, but most people (I think; I know I did) give a cell phone when they create their gmail. I just always assumed in the event of something malicious I could use that phone to recover my account via 2-step (I have the phone, and I know all the stuff about the account prior to it being stolen and possibly changed)

    Is this basically saying that without this new thing I am (and certainly would have been) hosed?

    Or to put it another way, outside of marketing speak, what actually has changed?

  10. Unfortunately a downside to enabling this it means that it’s no longer possible to use imap, pop3 or the activesync for iphone to get email.

  11. Love this approach. But what happens if I get robbed on vacation (phone, one-time codes etc. all gone). How can I get a new code to at least access my contacts and communicate again e.g. from an internet cafe?

  12. Ken Aston, even worse than the scenario you’re describing would be to have you account compromised and hijacked while on vacation. I can’t stress enough how important this measure is. Plus, it’s optional.

  13. Frankie, Thank you, I totally agree, just would like to get a solution for this scenario. 🙂

    Exactly this happened to me before and I was reliant on my contact list and email account to sort things out.

  14. Hi Matt

    I’ve watched the Youtube video in which you reassure us white hats that we’ll do better over time against black hats. But what if a black hat competitior was systematicaly (and experly) spamming site after site to the top of the SERPs? If this went on ad finitum then surely they would do better over time?

    You also said a little something about lobbying……

    Please please take a look at the SERPs on google.com and google.co.uk for “prom dresses” and related phrases.

    Chinese companies keep blog and comment spamming their way into the top 10 SERPs. These companies sell dresses at cheap prices but dont ship what’s shown in their photos. That’s partly because the photos they use are not their own (and not representative of their capability) and partly because quality still remains a huge issue in China.

    The only way these companies are reaching US and UK consumers is through manipulating the organic SERPs.

    Currently, there is just no let up. It is clear that many of these spam sites are owned by the same company. Each time one of these sites gets demoted (usually this takes a couple of months), there’s already another climbing the SERPS. These companies are using stratgic and sustained black hat tactics and they are succeeding…..and they are succeeding over time.

    Please please help.

    Thank you

    Vic

  15. not sure that a phone is a particurly good “what you have” as phones can be cloned or atacked over the air (MIM attacks) also for corporate use whose phone do you use?

    maybe Google needs to use the same or similar keyfobs that blizzard use.

    and as your targeting big companies and orgs having a gogle autheticator as part of the paid for service might be a diferiantator.

  16. So the GMail will win twice against the new Yahoo! Mail…
    Hey, that’s awesome!

    Thanks for some detailed announcements

  17. Matt,

    I remember a couple weeks ago Google asking me for a cell phone number for authentication on my account. I don’t have a cell phone, I consider them to be infantilizing, but Google didn’t give a land line option.

    Morris

  18. I agree that this is a great launch, but I also agree about Google sending “mixed signals” on privacy and protection. I work at VeriSign, where we’ve been urging Google to implement extended validation ssl certificates in the cloud for years now (there’s now a default https connection for Gmail but it is not, to my knowledge, encrypted with the green url bar or padlock). 2FA will indeed protect accounts from getting hacked into to a certain extent, I just wonder if it’s enough. I still only use cloud services for non-sensitive communications (though admittedly I work in an industry whose missives need more protecting than most). But I don’t want to sound like I’m totally dumping on Google, either, for taking another crack at security…this is a definitely a step in a more secure direction.

  19. I’m backing this idea. If someone gets into your Google account, there’s inevitably going to be a domino effect there as they can access so many other important passwords, etc. from it. It’s good to see Google looking after privacy, although I do wonder what alternatives will be offered for those who find the phone option inconvenient or impractical?

  20. I noticed the same issue as Morris, maybe a month ago. Is cellphone number that necessary?

  21. Hi Matt,
    Thinking in security matters thats a very good option, but for some people using google’s account for very private personal purposes they would don’t like share his telephone numbers.

  22. So what does this mean for marketers like myself who NEED to create gmail accounts for their clients so they can use services such as youTube or Google Analytics? Now I have to tell the client to give me their phone number for authentication for the account – and what happens if that employee leaves in a month?

    I could MAYBE see this as a solution for google places authentication, but gmail?!!! This is way overboard – make a 40 digit password, or use three questions, or something. I don’t care how you spin it, this is bullcrap. Stay out of my phone.

  23. Matt,

    I think I suggested this a few years ago, but I believe Google should have a paid phone line for people who are desperate about whatever, account being hacked, website falling out of index, being falsely tarred as a child abuser by a spammer, whatever. It wouldn’t require an admission of guilt or incompetence on Google’s part, just the admission that smart algos can’t cope with ever situation that comes up and human beings can be harmed. For people who feel that their life or business is being destroyed, a $100 charge to talk to a live human being at Google who could at least report back with – “it’s a glitch”, “you’ve been banned for bad behavior”, “we can’t legally do anything unless you get a lawyer”, whatever, would be well worth it.

    The greatest knock against Google I know amongst professionals using Google programs (with the exception of Adwords) is the lack of access to a human being by e-mail. What Google offers is a bunch of forums staffed by well meaning volunteers who don’t have answers or access to answers. Nobody who is dealing with a crisis wants to be sent to a forum to publicly report their problems with what appears to be a very low probability of getting a solution.

    The only reason I can think of that Google doesn’t offer direct support of any kind is the fear that it would draw a bunch of dumb questions and whining from spammers. So charge for it. The current deal where Google plays at Olympic godhood is evil.

    Morris

  24. This is necessary for security purposes, thanks to google they are always on the top when it comes to look for a much better service to its user .

    Thanks for the announcement Matt.

  25. Dear Matt,

    I couldn’t agree more. Anything, and I do mean anything, that could help fight hackers and other internet cretins that spend their time ruining reputations or years of work is a very good thing, and the extras you alluded to are great bonuses………..thank you Google anti-spam team!!!

  26. I’ve tried the phone option here in Canada several times and so have a few different clients (also in Canada) and no one here seems to actually get the call. So hopefully your “official launch” has worked out the kinks as of a couple of weeks ago phone calls are not an option if you seem to be outside the US.

    Texting at least works and so I tell all my clients to choose that option.

  27. “There’s a neat Google Authenticator application that runs on Android, iPhone, and Blackberry: (grey G icon)”
    I went to the Google Enterprise blog and saw people commenting about their Google Apps account and got lost wondering if one needs a Google Apps account to authenticate. Giving up, I came back here and hovered on the grey G icon, to discover that it is a link! It links to an Android app http://www.appbrain.com/app/com.google.android.apps.authenticator.

    Even so, being an iPhone user, I was none the wiser, so a search led me to http://www.google.com/support/mobile/bin/answer.py?hl=en&answer=189753, which says, “ If you don’t have a Google Apps account, this information won’t apply. In particular, using Google Authenticator to generate two-step verification codes requires a Google Apps Premier, Education, or Government Edition account

    There needs to be a paid option for corporations that is directly tied to authentication, not via Google Apps (which may add unwanted delays within the corp approval process where the corp does not want employees to use Google Apps).

  28. I just got a message today about this when logging into my Gmail. You said it wasn’t coming out to Gmail for a couple of months. Did it already start?

  29. I can only confirm that phone verification is working less than perfect outside of USA. I live in Sweden and until now I haven’t been able to confirm anything at all using the phone option. Not even my Gmail account. I really think this two-factor authentication is a great option and I really hope it will work outside of USA as well.

  30. Anything that helps and is easy to use is fine by me. The inconvenience caused by a lost account is very distressing.

  31. in mu opinion a voice phone call is the best way to use for that.
    Even if is so hard to realize that a a voice phone call is strong and secure is one of the most powerfull tool for it.
    Is my opinion – hope you’ll consider it.

  32. Hey Matt,

    This company http://www.googlelocalranking.org is spamming people about doing local seo for them and with Google in the domain name, it certainly gives the impression that they are related to Google in some way.

    Is this company associated with Google?

  33. How will two factor authentication work for people that represent other companies on the web, such as SEO firms. Are there provisions for the same phone verifying more than 1 site or email account? Overall for the individual user it seems like a great thing but for those of us that manage multiple web properties for ourselves and others it seems like it may cause difficulties.

  34. I have one comment… ok, maybe two.. I am a fan of multi whatever level authentication, I use the VIP system through Verisign for PayPal, my domain registrar and a few other online places… so, good for Google for following suit… (got a kick out of the blog post calling this innovation though)

    My main comment, as a paying Apps Premier customer is this:

    When will my contact lists in my email and Google Voice be one???????????????? thats the one thing that irritates me to no end, and has for waaaaaaaaayyyyyy longer than it should.

  35. This sounds like a good thing. I have recently been a victim of bank fraud and online account hijacking of a website. We need to put as many roadblocks down as possible to slow this down.

  36. Anything that adds minimal effort to the login process if I’m a legit user, but significantly increases the difficulty for someone trying to hijack the account is a move in the right direction. It just needs to be flexible, because what is minimal effort for me is a pain for someone else.

  37. The more secure the better. It sounds like a good idea.

  38. Take it from an expert with over 15 years of experience in online security… This is the wrong direction. Google chose the worst form of two-factor authentication available (“out-of-band”).

    Google is perpetuating the misconception that a hacker cannot compromise the process since the hacker is not in possession of the user’s phone. However, the hacker does not need to be in possession of the user’s phone to compromise an “out-of-band” process. The hacker simply needs to trick the user into divulging the received phone code. This is the method typically used by hackers to compromise out-of-band authentication. The hacker constructs a counterfeit webpage to solicit the user’s credentials (a relatively easy task for a hacker). Then, using scripting on the counterfeit webpage, they transmit the solicited credentials to the legitimate google website. Google sends the user’s phone a code, and the user, believing they are communicating with the legitimate google website, enters the received code on to the counterfeit webpage. The counterfeit webpage then sends this additional information to the genuine google website and…presto… they are logged into the victim’s account.

    All google has done is add more complexity to their login process but they have not added any real additional security. Companies who have toyed with this method in the past (google is by no means the first) typically abandon it after several months due to high user complaints, great losses of users, and little security benefits realized.

  39. I’m really excited Google’s launching two factor. World of Warcraft, of all things, has been providing two factor for years now and it works quite well. I’m glad that my Google account can have similar protection. Combine this with OpenID and we have a real win.

  40. I was really happy with google account policy, but somehow I am being thoroughly obsessed by that. To be more specific, google has disabled my entire account 3 days ago – which is tofu.lameass@gmail.com. As it stands, my only developing blog, google profile, and all other contents are locked and out of access. However, I wish I could know what I did so wrong. Besides, I barely can find an answer about what to do when the google account is disabled. As everyone is telling to utilize the contact-us form; I did, but unfortunately after sending 4 emails, even if I was begging – however, their negligence was on top of everything. This is the reason why I have came here for help. Please help me. I can’t wait anymore. 🙁
    I don’t wanna put a question mark on google; I believe they’re doing everything because of our safety. But shouldn’t we at-lease can have their response. 🙁

    Please help me Matt, or at least let me know what I did so wrong. For give me for not being patient.

  41. I was really happy with google account policy, but somehow I am being thoroughly obsessed by that. To be more specific, google has disabled my entire account today – which is judibooty96@gmail.com. As it stands, my only developing blog, google profile, and all other contents are locked and out of access. However, I wish I could know what I did so wrong. Besides, I barely can find an answer about what to do when the google account is disabled. As everyone is telling to utilize the contact-us form; I did, but unfortunately after sending 4 emails, even if I was begging – however, their negligence was on top of everything. This is the reason why I have came here for help. Please help me. I can’t wait anymore. 🙁
    I don’t wanna put a question mark on google; I believe they’re doing everything because of our safety. But shouldn’t we at-lease can have their response. 🙁

    Please help me Matt, or at least let me know what I did so wrong. For give me for not being patient.

css.php