Could Google Make Two-Factor Security The Norm?

For a long time, security professionals have been urging companies to use two-factor security instead of passwords only, but often their pleas have fallen on deaf ears. Today’s announcement that Google Apps will have two-factor security – for free – could lend some weight to the move to greater security.

Password-based security is OK, but it is not realy good enough. It is based on something you know (your password), which is fine as long as you are the only one who knows it. Someone else could get hold of that password, either by guessing a really obvious password, by cracking a more complex one, by tricking you into revealing it through phishing or social engineering, or by snooping it through a Trojan or other malware.

Getting beyond mere passwords

Security professionals have said for a long while that we should all be add more layers to our verification systems. Two-factor security adds something you have. Often it’s a token, such as from SecurID, or it could be a one-off code sent to a mobile phone to prove you have your phone. ATM cards require you to have the card, and know the PIN number.

Beyond that, three-factor verification would include proving who you are, through biometrics, which so far has proven either too unreliable (fingerprint readers) or too expensive, for general use.

It’s pretty much agreed that two-factor authentication should be the baseline for access to corporate applications, but it’s also pretty clear that by and large, people do not have this. Google application security chief Eran Feigenbaum for instance told us a year ago that Google recommends two-factor authentication.

“The reality is most security on the Internet today depends on knowing the user’s password,” said Feigenbaum. “We have clients that use two-factor authentication, with one-time passwords through things like RSA SecurID, smartcards or cellphones.”

When asked if Google employees use the system, his reponse was a crisp “no comment”, leaving us to draw our own conclusions.

Is a smartphone suitable?

Google uses a popular form of two-factor authentication, where a one-off code sent by SMS verifies that the user has a specific smartphone (or at least the SIM card associated with that phone account).

Companies using premier versions of Google Apps can now set it up so that users sitting at a terminal have to know where their smartphone is and have it with them, so they can enter the code from their phone.

This is not an onerous difficulty, given the importance our phones are assuming. We should all know where our phones are, given their ability to access online information.

For those using Google mail on a mobile device, of course, it is possible to weaken this system. If the Google Apps password is in the phone’s memory, then the two factors – password and phone – have effectively become one, and a lost or stolen phone can get a thief into the Google Apps account, as long as they can get past the screen lock.

Since a lot of transactions will be carried out from mobile phones, banks are concerned to improve authentication – and the current suggestion seems to be to use location information (which does not tell us who has the phone) and profile information (which doesn’t add much if it’s on the phone or available from it).

Separate devices

For companies wanting to provide mobile access to Google Apps, and using the SMS channel for two-factor authentication, the answer may be to insist that users do their mobile email on a different device from their SMS and phone communications. In other words, to carry two phones.

But even then, Google has a feature to recover forgotten passwords. They can be sent by SMS to a mobile phone. If that turns out to be the phone that is used for the two-factor authentication token, then all you need is the phone (the second factor) and the email address to retrieve the first (the password).

Further details of the Google offering will emerge – and at this stage it’s built into Google Apps for users to implement. There will be set-up options that should let administrators choose a secure path that avoids these possible traps.

By offering free two-factor authentication, Google could be opening it up to widespread use, and exposing it to the kind of mass stress-testing that these systems need to evolve into something that is both useful and secure.