Google announced that it is implementing two-factor authentication for Google Apps to improve security. The introduction of more stringent authentication controls removes one of the hurdles for businesses to embrace Google Apps and makes the productivity suite a more viable option for organizations concerned with security in the cloud.
Security is one of the biggest obstacles for many organizations when it comes to considering cloud-based services. Web-based services have the benefit of being available from virtually anywhere rather than being shackled to the local storage of a specific machine, but if users can access the data from anywhere so can attackers.
Related Story: Supercharge Google Apps for optimal business productivity
“Cloud computing is about making your information easily accessible from anywhere, on any device,” Eran Feigenbaum, director of security for Google Apps, said in a blog post. “Until today, organizations looking to secure their information beyond a password have faced costs and complexities that prevented many of them from using stronger security technologies. Today, we are changing that with the introduction of a more secure sign-in capability for Google Apps accounts that significantly increases the security of the cloud: Two-step verification.”
The feature, which must be enabled by an administrator, requires that users have two means of identification – something they know (a password), and something they have (a cell phone).
Despite decades of user awareness efforts, passwords are often trivial to guess or crack. The compromise of passwords at RockYou.com provided a unique opportunity to examine actual passwords used in the real world. A study of the more than 30 million passwords exposed when Rockyou.com was hacked found that almost half use names, common dictionary words, or sequential characters like “qwerty”.
Those odds don’t help IT admins sleep better at night. It is bad enough that half of the lost or stolen laptops, or portable storage devices like USB thumb drives might contain data that is trivial to gain unauthorized access to, but voluntarily placing that same data on the Web where it can be accessed 24/7 by anyone with an Internet connection is like begging to be compromised.
The two-factor authentication strengthens the security of Google Apps by relying on a technology that is nearly as ubiquitous as the Web-based Google Apps productivity platform: mobile phones. If the two-factor authentication is enabled, a one-time authentication code from the mobile phone is required in addition to the standard account password in order to access Google Apps.
“This makes it much more likely that you’re the only one accessing your data,” Feigenbaum said. “Even if someone has stolen your password, they’ll need more than that to access your account. You can also indicate when you’re using a computer you trust and don’t want to be asked for a verification code from that machine in the future.”
While this new capability is just for Google Apps business users today, he said it will be rolled out to all individual Google users “in the coming months.”
Related Story: Google Apps beef up security to woo businesses
For some organizations, the additional protection offered by two-factor authentication can also help satisfy data protection requirements. Businesses that fall under Sarbanes-Oxley, HIPAA (Health Insurance Portability and Accountability Act), PCI-DSS (Payment Card Industry Data Security Standard), and other regulatory and industry compliance mandates must have certain security controls in place or risk serious legal and financial consequences. With the option for more stringent authentication, organizations have a reason to take another look at Google Apps.
There is a potential downside as well, though. While the mobile phone is nearly as ubiquitous as the Web itself, it is also a mobile device that is easily lost or stolen. An attacker with the mobile phone or smartphone in hand would have access to the second authentication factor, and the presence of the Google Authenticator app would be a giveaway that the user has a Google Apps account.
But, it is called “two-factor” for a reason, and the attacker would still have to determine the username and password to successfully compromise the Google Apps account even with access to the one-time authentication code.
With the addition of two-factor authentication, Google Apps is a much more attractive option for security-conscious organizations. IT admins that have avoided Google Apps should re-examine the benefits of the Web-based productivity suite.
With notes from Sharon Gaudin