Saturday, May 28, 2011

Using Google's Two-Factor Authentication

UPDATE:  If you've read about Gmail account passwords getting stolen (hackers getting users to load a fake page and stealing password) and you are concerned, you really should read this.  Had those users turned on Google’s “Two-Step Verification” they probably wouldn't have been hacked.

Google introduced what's known in the industry as "two-factor authentication” last year.  Google calls it "2-step verification".  Although I use a two-factor authentication system every day for the company I work for and have used others in the past, it’s time to tighten my security belt. In addition, I feel that if I’m going to write about Google’s system, I really should be using it.  Actually I think you should too.  Security is in the news a lot more these days and people are putting more of their lives into the cloud.  If you use Google Docs and other services like I do, you should be doing a better job of ensuring your stuff is secure and private.  

After the break, I’ll explain what it is, how it works, and how to turn it on for your Google account.

Definition of “Two-Factor Authentication”
Two factor authentication is an authentication method that requires two things from a user in order to “authenticate” them selves, or log into a system.  Instead of just requiring a user enter their  password that supposedly only the user knows, it requires a second factor.  Typically this second thing is a device or a way of proving you are holding the device.  So the two factors are something you know (your password), and something you have (a device typically).  By doing this, there is a higher likelihood that you are who you say you are.   I use two-factor authentication every day to get on my company’s network from home.  When I start my network software it prompts me for a password and then it looks to see if I have a device plugged into the computer (normally in the USB port).  Other implementations of two-factor authentication are similar to RSA’s Secure ID where a user’s second factor is given by entering a number that is displayed on a small device.  The number is synchronized to the server and is unique to that person.  By entering that number (which normally changes once a minute), the computer verifies that you are holding the device.    Two-factor has been around a long time, since at-least the early 90s in the computer world and is used by most large companies in some form to improve authenticating.  By doing this, there is a higher likelihood that you are who you say you are. The main purpose is so that if someone steals your password they still can’t access whatever it is without the second factor.    Enter your password in a public place?  No problem because a sneaky spy doesn’t have the second factor.  If the second factor is a number on a device and he sees you enter it, it’s still won’t work because that number can only be used once (that’s why it changes all the time).  Nothing is foolproof but this method is orders of magnitude better than the simple password systems most people are familiar with today.  A good example of the implementation using the little key fob device is PayPal’s “Security Key”.  Its a little device that fits on your keyring that displays a different number every minute and you must enter that number in order to complete your login to PayPal.
Google’s 2-Step Verification
Google’s implementation is similar to Secure ID but without the cost or headache of having yet another electronic device on your person.  Google uses a device that most of its users are never without, their cell phone.  When you authenticate from a computer that you have not used before, Google sends you a SMS message with a number that you enter into a second dialog box.  You get the benefits of two factor authentication without the additional cost.  
If you have a smart phone or other software that connects to your Google account (I have several), you can create special passwords for those devices.  The setup screens for Google 2-Step verification will step you through the entire process.  These special passwords allow mail and calendar software on mobile phone to continue to work because their software isn’t designed to allow a second factor.  If you lose the phone, it’s easy to disable the password for that device and setup take about an extra 2 minutes.  Google knows that there’s always the chance that you won’t have access to your phone, it could have a dead battery or you might have lost it.  Google allows you to setup a backup method (a second phone or a message that is sent to a voice number).  In addition, Google supplies you with five one-time passwords, a backup-to the backup method.  If you want more info on how to setup Google 2-Step verification, go to Google’s help page on the topic.

So far I recommend my readers take this very simple step to improve their security and improve their chances that their private data stays private.

Know when someone is trying to hack your account
If some nefarious hacker is trying to log-in to your account, you’ll probably know immediately because you will start receiving SMS messages on your phone from Google with your verification code.  If this happens, some has entered your e-mail address and has your password because the message is NOT sent until your e-mail address and password are successfully entered.  If this happens to you, don’t freak out, they still can’t get in until they enter a verification code and they can’t get it unless they have access to your cell-phone.  What you should do is change your password right away and if that password is used anywhere else, you should change it there also.

Turning on Google’s two step verification
If you have a cell phone I highly recommend turning this feature on.
It’s pretty simple.  Go to Google’s instruction page, click “setup 2-step verification”, and  follow the simple steps.  Here are some tips.

  1. Use SMS to cell phone.  It will test the process for you.  If you choose the remember code when you log-in, you don’t need to use the code every time you log-in, just when using a different computer or when the code expires.
  2. Setup a backup phone so that in-case you are traveling you can have the verification code sent to your travel partner’s phone (just in case) all else fails.  (see number 3)
  3. Print out the one-time codes that you are given in one of the steps and put a copy of them in one or more safe places and put them in your wallet or purse.  If you find yourself with a dead cell phone and no access to the backup phone, these codes can be used instead (each can be used one time).  
  4. Don’t forget to go through the process to setup each of your phones and tablet computers that need auto-access to your Gmail account.  I suggest setting up a separate login for each so that if you lose the device you can cancel that one device password.  You only have to do this once so sure, it may take you a few minutes but it’s worth it.
Chris Claborne

No comments:

Post a Comment