Google Apps has supported two-factor authentication (“two-step verification” in Google lingo) since 2011. However, this was an entirely opt-in feature, even for paid Google Apps for Business customers. Having an opt-in feature for security-savvy users is great, but the truth is that a majority of users will not volunteer for it. Thus, we were happy to learn that organizations can now enforce the use of this feature.
Two-factor authentication is an important element in a strong information security program. Traditionally, authentication may be designed with the following three types of factors: something the user has (i.e. security token, mobile phone), something the user knows (i.e. password), or something that is physically part of the user (i.e. retina scans, fingerprints, voice recognition). The primary authentication mechanism for most websites (Google Apps not being an exception) is the password. Passwords are easy to steal or lose and as such, they are deemed insufficient alone for security-sensitive applications.
In the Google Apps suite, mobile phones are currently the only other available authentication factor. If 2-step verification is enabled, when a user logs in and enters their password they get a text message or a voice call on their phone, which is used to transmit a secure code. Only after this 2nd code is entered is the user allowed to log in. The likelihood that a hacker may steal a user’s phone and learn the user’s password is much lower and as a result security is enhanced greatly.
Two-factor authentication is really great and I would like to see Google continue to improve its security offerings for the enterprise. In this context, I think there would be a great benefit to adding additional two-factor authentication mechanisms such as hardware security token devices, which are already heavily used in the enterprise.
What do you think about Google’s move to strengthen two-factor authentication?
Disclosure: Linkgard is a Google Apps reseller.