In association with heise online

11 February 2011, 15:03

Google extends 2-step authentication to all users

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Zoom The additional verification code is generated by a smartphone app or sent to the user via SMS from Google.
Passwords are among the most critical breaking points of web-based services. By offering an optional 2-step log-in, Google is raising the security of its platform to a new level. The vendor plans to offer the procedure to all Google users for log-ins to Google accounts in the next few days.

In a blog posting, Google technicians have already announced a new optional log-in procedure that requires users to enter a verification code as well as their password. This code is either generated by a smartphone app, or Google sends it to a registered number via an SMS text message. A successful log-in will then require two independent factors: users will need to know their password and have access to the previously registered mobile phone.

That passwords alone don't provide adequate security levels has been known for a while. Uncrackable passwords are impossible to memorise – at least in sufficient numbers. And even a 20-digit password consisting of random characters won't protect users if their PC has been infected with a trojan that simply reads it as it is entered. These factors have now given rise to the need for an additional verification procedure that operates independently.

Years ago, eBay and its PayPal subsidiary attempted the large-scale introduction of single-use passwords for secure authentication. At the time, the project failed, mainly because it first required users to purchase a special token that they always had to carry on them. Now, the rising popularity of smartphones has enabled developers to implement pass code generator apps and considerably reduce the barrier to entry.

Google estimates that the one-off effort required to set up 2-step verification is about 15 minutes. In addition, there is the extra effort for every individual log-in. Available screenshots already demonstrate that Google is willing to compromise in this area, allowing users to activate their computers so that they only need to enter the verification code once every 30 days. Even if the implementation of the procedure will require further adjustments over time, Google has now given a clear signal that it truly intends to tackle the password problem.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit