Securing the cloudGoogle Apps more secure with two-step verification

Published 22 September 2010

More and more companies are migrating their e-mail and other cloud services over to Google Apps — but the doubts about whether making such a transition would put company security at risk linger; now the company is doing something about it: Google announced early Monday the availability of two-step verification, a more secure way for Google Apps users to sign into their accounts

Google moves to secure apps // Source: ytimg.com

Whether or not we should call this a trend, the fact is that more and more companies are migrating their e-mail and other cloud services over to Google Apps — but the doubts about whether making such a transition would put company security at risk linger. There are numerous says for system administrators to add extra layers of security for when users check their e-mail from outside the building, but switching everything to Gmail means that everything is left behind a single — and possibly insecure — password.

Jacqui Cheng writes in Arstechnica that Google has long been aware of this problem, and now the company is doing something about it. Google announced early Monday the availability of two-step verification, a more secure way for Google Apps users to sign into their accounts. Instead of just relying on a password set by the user, the two-step verification process will force users to log in with something they know (their password) as well as something they have (a PIN number sent to their mobile device).

After entering your password, a verification code is sent to your mobile phone via SMS or generated on an application you can install on your Android, BlackBerry or iPhone (coming soon) device,” Google Apps director of security Eran Feigenbaum said. “This makes it much more likely that you’re the only one accessing your data: even if someone has stolen your password, they’ll need more than that to access your account.”

Cheng notes that the feature must be turned on by an administrator — adminstrators for Google Apps Premier, Education, and Government Editions can activate it now, while Standard Edition customers will be able to do so soon — and certain devices can be authenticated as “trusted” so they only require one step to log in. For example, a company’s administrator might let you authenticate your home computer as trusted (as it is less likely that your company e-mail will get accessed by a thief), but require your laptop to go through the two-step process, as it is more likely to get lost or stolen.

Cheng writes that the feature is meant primarily for the businesses that use Google Apps for their services, but Google says it will eventually be available to all users. Additionally, the company says that the system is built on open standards, and that it will be open sourcing its mobile authentication app “so that companies can customize it as they see fit.”