Thoughts on Google’s Two-Factor Authentication – Part One

Last updated: 08 November 2011

I read an interesting post by Chris Ripley on BlogCritics last week, looking at Google’s two-factor authentication. In case you missed its recent announcement, the search giant has made two-factor authentication available on its email accounts worldwide. This is a great step in the right direction and it’s fantastic to see people like Chris supporting the cause of strong authentication! I actually took it for a spin and set up two step verification (as they have termed it) for a Gmail account using my iPhone as the authenticator. The setup was simple, enabling one-time password authentication.

It’s good news for all of us that we can lock down our Google apps more securely now, but there are other areas where this should set a precedent for stronger authentication. And it is important to recognize that, while this is a step in the right direction to enable companies to move to cloud-based apps for productivity, this may not be a sufficient level of protection.

One such area is companies’ sensitive data. We are all aware of the economic drivers for moving to cloud-based apps. And there are plenty of companies out there trying to promote these apps to you. But consider this: no amount of savings is worth the potential damage caused by a breach to sensitive information. This is why I spend a lot of time talking and writing about layered security and the need for strong identities in the online world. One-time Password (OTP) is a good step in the right direction, but over the last year we have seen how this can be compromised. Brian Krebs did the deep dive work on who was affected by the RSA breach and the results were pretty incredible. Brand name after brand name appeared on his list proving that, in some cases, OTP is only a partial answer to the bigger security question.

The strongest form of authentication is when you implement multiple authentication factors. As discussed many times on our blog, this essentially means three categories: something you know (username) plus something you have (OTP device, certificate-based device) and, for extra security, something you are (biometric detail like a fingerprint). By increasing the factors of authentication, you essentially increase the level of security and, as a result, the level of trust given to the identity of the person accessing a computer network or account. OTP is a good step because it introduces a second factor, but if someone was able to steal the device or compromise the OTP algorithm then this diminishes the effectiveness of this as a security measure.

In the second of my posts on this topic I will explore how certificate-based identity systems can help further secure details such as email and banking accounts.