Starting Thursday all Google users can choose to turn on a so-called “two-factor authentication” feature, which will require them to type in a special, short-lived second password in addition to their normal password to get into their account. Users will be able to get the codes by text or a phone call, or use smart phone apps for Android, iPhone and Blackberry to generate the codes.
The idea isn’t new, even though this is the first time such a security option has been offered for free by a major online e-mail service.
Government agencies, banks, online games such as World of Warcraft, and investment companies have long used little keychain fobs that generate cryptographically secure, random codes every few minutes. To log on to your account, you first type in your usual username and
password and then type in the one-time code.
Nishit Shah, a product manager for security, says the new security feature should help prevent hackers from getting into sensitive accounts, like Gmail, by snooping passwords or by exploiting security breaches, like the one that recently exposed the e-mail addresses and passwords of Gawker Media commenters — a huge problem since many users reuse the same password over and over.
“I’ve been using my Gmail account almost every day for five years,” Shah said. “My Google account is invaluable to me.”
The feature has been available to paid Google Apps users for six months, and over the last few months, the company has been testing the feature internally and with users who have been having problems with hackers getting into their accounts.
“We have seen instances where user accounts would have been compromised without this feature,” Shah said.
The feature is now listed under the Account Settings page for Google users.
But he warns this is not a feature that is simply turned on by clicking a check box, and advises users to set aside about 15 minutes to set it up.
That’s because users will have to navigate a few hurdles. For instance, they’ll be given the option to give out a backup phone number — either a landline or a trusted friend — in case their phone is lost or broken. Additionally, programmatic access to Google accounts, such as IMAP access to Gmail, won’t use the normal password and instead will have to be reset with a special 16-character, randomly generated password.
The security feature does introduce some complexity. For instance, those who are traveling to another country may not be able to get text messages while traveling. The smart phone apps for Android and the iPhone, however, will generate usable codes even without a net connection.
To help, Google is also offering the option of preprinted special codes that a user can choose to use while traveling.
That’s especially useful for anyone who uses a free computer in a hotel or hostel, which could easily be infected with a password-stealing trojan. With the additional codes, even a hacker who snagged your username and password off such a computer couldn’t get into your account, since he wouldn’t know what the next special code is supposed to be.
So what happens if you lose your phone and the backup number you set up is no longer in service?
Shah says the company has thought this through, and there is a final way to regain access to your account with tough-to-answer security questions.
The two-factor authentication feature is currently offered only to English-speaking users, but translation is under way and should be available via smartphone apps to all Google users in their native languages in the coming months.