Gmail’s Two Factor Authentication
Google recently implemented a new “two factor” authentication option for their gmail application. Two Factor authentication adds another layer of security by requiring an additional verification after you enter your valid username and password combination. This makes it more difficult for a malicious user that may have stolen your password to actually access your account. Google’s implementation reminds me of the RSA token’s work when accessing a corporate VPN or some other websites that support them. After you enter your user name and password you get a request for this additional “token.” The token is generated in one of two ways:
* Small subset of Pre-Printed codes that work only once.
* The token is created on a mobile application on your phone. (These tokens change every minute or so.)
I have a few gmail based email accounts so I thought I would see how easy it is to set this up. The first obstacle I ran into was that my gmail accounts are linked through Google Apps. When I logged into my account I was not able to find a way to enable the two factor authentication. After a bit of searching I found out that I needed to “Manage this Domain” to allow my users to even use this feature (see screen shot below).
Once I enabled this feature, I was able to enable it for my individual email account. Google did a great job of creating a wizard to walk you through the process. The first step is selecting your phone type. I have an IPhone so it gave me instructions on how to download the google authentication application from the app store.
Once I got the app up and running on my phone, the web page displayed a bar code for me to scan with it. Once it scanned the bar code it automatically recognized my email account. It asked me to verify the number on the iphone app on the web page. Once it was verified I was given a list of 10 hard-coded keys incase I didn’t have my phone available. They also give you the option to set up another phone as a backup.
You might be wondering what happens if you are using Outlook, Entourage, your phone, etc, to access our gmail. These obviously don’t support the 2nd form of authentication. Google is way ahead of you. They created application “keys” that you can create for each application you want to access your account. You generate the key on the website, then use that as the password on your mail client. I was able to set all of this up (3 different clients) within about 10 minutes.
Google makes a very great effort to warn you about the new authentication and does everything they can to make sure you are set up properly so you don’t lose access to your mail.
Don’t want to have to enter a code every time you access gmail? You are in luck. You can specify that you want it to remember that specific computer for 30 days if you would like. This makes it convenient and the risk is small unless someone has stolen your password and has access to your computer.
If you are using Gmail, I highly recommend taking the time to set this up. It is a pretty cool feature and hopefully we will be seeing banks and other sites taking some strides toward this.
I don’t doubt that we will see the security guys start hammering this new feature to attempt to show any weaknesses. Even if they find some, this is still a good thing. Either way, it will not decrease your security and if anything is found, it will only help make the feature better.