Pages

Friday, February 11, 2011

Google Unveiled Advanced Sign-In Security Feature


A Google account is currently only protected by a username, which in most cases is an email address, and a password. Threats like phishing, brute forcing and social engineering are very common on today’s Internet. To protect its users, Google has decided to roll out an advanced sign-in security feature for Google accounts that makes those attack forms more or less useless.

The 2-step verification is currently rolled out to all users. You can check the Account Settings page to see if the “Using 2-step verification” link is already available under Settings > Accounts and Import > Google Account Settings > Personal Settings > Security.


But what does it do? It basically adds a second login step after the username and password have been entered. It is possible to receive the code via SMS, a call from Google or with a software that gets installed on the phone so that the code can be generated by the user without direct contact to Google. The software is available for Android, BlackBerry or iPhone devices

The code is a unique temporary verification code that needs
to be entered during login.

Once you enable 2-step verification, you’ll see an extra page that prompts you for a code when you sign in to your account. After entering your password, Google will call you with the code, send you an SMS message or give you the choice to generate the code for yourself using a mobile application on your Android, BlackBerry or iPhone device. The choice is up to you. When you enter this code after correctly submitting your password we’ll have a pretty good idea that the person signing in is actually you.


A hacker would need access to both the phone and the Google login information to access the account. While that is still possible under certain circumstances it eliminates many possible attack vectors.

The verification code can be remembered for 30 days on a specific computer so that it only needs to be entered again once the 30 days are over. There is also an option to create a one-time application specific password to sign in from non-browser based applications that do not prompt for the code.

A backup phone and backup codes can be created in case the phone gets destroyed, stolen or lost.

Users need to carry their phone with them if they want to access the Google account. They also need to make sure that the phone is accessible, as it is not possible to log into the account if it is not.

No comments:

Post a Comment