2-Step Verification for Google Apps

2-Step Verification
In this three-part blog series covering Google's 2-Step Verification (2SV), we'll begin by explaining what 2SV is and why you should use it. Part 2 will cover a user-level overview of enabling 2SV for a Google Account and part 3 will explain how Google Apps administrators can enforce 2SV for their users in order to increase their IT security.

Traditionally, most websites utilize simple one-step verification: they check to make sure you know your password and if so, give you full access to the account. The problem with this approach is that passwords are easily lost, often unbeknownst to the user. For example, hackers regularly infect public kiosk computers with key logger malware that send the user's input to them, allowing them to capture passwords. The user generally doesn't discover their account has been compromised until after the damage is done. 2SV works by adding an additional step to the authentication process. After the user has entered something they know (their password), they are required to enter something they have, a one time verification code. With 2SV, even if the user's password is lost, others still cannot access the account because they don't have the current verification code. While 2SV isn't impenetrable (no security system is), in practice it makes it extremely difficult for anyone to compromise your user's accounts.

Recently, Google announced the ability to enforce 2SV for your Google Apps users. This new feature allows Google Apps admins to require 2SV be turned on for some or all users. We at Dito decided 2SV was an important enough security feature that we wanted all employees using it. Traditionally, 2SV systems were reserved for industries that had extremely high security needs like government defense contractors and Internet security companies. However, two things changed our mind about 2SV:

  1. Everybody is a target for hackers today. Don't make the mistake of believing that your account data is not valuable enough to be hacked. Do you have email addresses in your inbox or Google Contacts? Additional targets are a valuable commodity to hackers. Do you have a decent reputation with your contacts? Trust is extremely valuable and exploitable. Hollywood likes to show hackers sitting in their basement targeting a single corporation that has data they want but the fact is most hacking attempts these days are entirely automated. The goal is to crack as many accounts as possible and sort through the details later.
  2. Google has made 2SV cheap and manageable. Google added 2SV to Google Apps in September, 2010. Since that time they've worked hard to improve the setup process and overall user experience. Traditional 2SV systems require extra client and server hardware and software. Google's 2SV implementation relies on user's existing mobile devices and open standards allowing 2SV to be enabled with no additional cost to the company. Support for users struggling with traditional 2SV lockouts also increased costs and man hours. With multiple ways to get a verification code, Google's 2SV greatly decreases the risk of lockouts and makes administrator recovery painless for users and admins.

This is part one in a three part 2SV series. Be sure to take a look at Part 2: Enabling 2SV for Your Google Account and Part 3: Enforcing 2SV for Your Users. Are you currently using or planning to use Google Apps 2SV? Tell us about it in the comments!

Labels: , , , ,