September 20, 2010

Moving security beyond passwords



Entering your username and password on a standard website gives you access to everything from your email and bank accounts to your favorite social networking site. Your passwords possess a lot of power, so it's critical to keep them from falling into the wrong hands. Unfortunately, we often find that passwords are the weakest link in the security chain. Keeping track of many passwords is a pain, and unfortunately accounts are regularly compromised when passwords are too weak, are reused across websites, or when people are tricked into sharing their password with someone untrustworthy. These are difficult industry problems to solve, and when re-thinking the traditional username/password design, we wanted to do more.

As we explained today on our Google Enterprise Blog, we've developed an option to add two-step verification to Google Apps accounts. When signing in, Google will send a verification code to your phone, or let you generate one yourself using an application on your Android, BlackBerry or iPhone device. Entering this code, in addition to a normal password, gives us a strong indication that the person signing in is actually you. This new feature significantly improves the security of your Google Account, as it requires not only something you know: your username and password, but also something that only you should have: your phone. Even if someone has stolen your password, they'll need more than that to access your account.



Building the technology and infrastructure to support this kind of feature has taken careful thought. We wanted to develop a security feature that would be easy to use and not get in your way. Along those lines, we're offering a variety of sign in options, along with the ability to indicate when you're using a computer you trust and don't want to be asked for a verification code from that machine in the future. Making this service available to millions of users at no cost took a great deal of coordination across Google’s specialized infrastructure, from building a scalable SMS and voice call system to developing open source mobile applications for your smart phone. The result is a feature we hope you'll find simple to manage and that makes it easy to better protect your account.

We look forward to gathering feedback about this feature and making it available to all of our users in the coming months.

If you'd like to learn more about about staying safe online, see our ongoing security blog series or visit http://www.staysafeonline.org/.

11 comments:

  1. Pls don't leave MAEMO and Nokia N900 begind.

    ReplyDelete
  2. I am delighted to hear that Google now has the security feature that have been keeping my World of Warcraft account safe for years: the Battle.net Authenticator. Just remember to create a backup of the software on your phone to avoid a situation where they don't think you're you because your software upgrade or reinstall deletes your verification software.

    ReplyDelete
  3. Yay good step, definitely right direction.

    ReplyDelete
  4. The Google Enterprise Blog mentions that the verification process is built on open standards. Can you please provide some details on what Open Standards are at play here?

    ReplyDelete
  5. I would like to have this work with OATH tokens, as well as my phone. Losing my phone would lock me out of my apps.

    ReplyDelete
  6. The open standards are mentioned on the open source page for the phone app! It's OATH-based.

    http://code.google.com/p/google-authenticator/

    ReplyDelete
  7. Is this authentication option going to extend beyond paid products?

    ReplyDelete
  8. Will this be coming to personal gmail.com accounts?

    ReplyDelete
  9. What about adding a two-phase commit protocol (2PC) on top of you're current idea ???

    ReplyDelete
  10. I have been locked out of my Gmail account for inactivity for months. I have tried so much with out any way to gain access to my account. Does anyone have any idea how to help me?
    and i have gone through all lost password proses google offers and none of that works.

    ReplyDelete
  11. I am still bummed that two-step verification doesn't work with iChat on my new MBP. I've tried to make an application specific password multiple times and the forums are closed on Google Talk. ;(

    ReplyDelete

You are welcome to contribute comments, but they should be relevant to the conversation. We reserve the right to remove off-topic remarks in the interest of keeping the conversation focused and engaging. Shameless self-promotion is well, shameless, and will get canned.

Note: Only a member of this blog may post a comment.