Google added a two-factor authentication option to Google Apps on Monday, allowing enterprises to protect user accounts with a one-time code delivered through a mobile phone, in addition to the usual password.
The option will provide additional protection against phishing and malware attacks, as the one-time codes are valid for a limited period, said Eran Feigenbaum, director of security for Google Apps.
Two-factor authentication typically relies on something the user knows, such as a password, and something they have, such as a smartcard, security token or—in Google’s case—a mobile phone.
Microsoft offers a similar two-factor authentication service using SMS text messages, which it first announced in May.
Google will send out authentication codes by SMS (Short Message Service) or voice message. The SMS service will be free and available in 19 countries including Australia, Denmark, France, Germany, the Netherlands, Sweden, the U.K. and the U.S.
The authentication codes can also be generated locally using a smartphone app called Google Authenticator, available as a free download from the Android, BlackBerry or iPhone app stores. Apple has already approved the Google app for the iPhone and all three apps are now available, Feigenbaum said.
Google is making the source code for its Authenticator application open source so that companies can change the user interface, perhaps to incorporate their own branding. However, Google will not distribute the source code for the algorithm that generates the codes, Feigenbaum said.
The authentication process is based on an open standard for authenticating devices and networks called OATH—not to be confused with Oauth, another open authentication protocol aimed primarily at Web applications. OATH supporters include VeriSign, Sandisk and a number of smartcard manufacturers.
Administrators can enable Google’s new authentication function for users of the Premium, Education and Government versions of Google Apps. Users of the Standard edition and of consumer services such as Google Docs and Gmail will have access “in the coming months,” Feigenbaum said, although he declined to say whether that would be before year-end.
Once their administrator has enabled the function, Google Apps users must provide Google with their mobile phone number for the SMS option, or install the app and set it up by entering a secret passphrase into the app and into the Google Apps website.
After that, each time users log in they will see an additional text box inviting them to enter a six-digit code. To get the code, they can either request one via SMS from the login page, or click on a button in the phone app to generate a new one.
Users who repeatedly log in from the same machine—their home computer, for example—can choose to “Remember verification for this computer.” That will set a cookie on the machine instructing Google’s servers not to request the authentication code. That reduces security protection if the machine is stolen, said Feigenbaum, but “If someone has physical access to your machine, you have bigger problems to worry about,” he said.
However, on public access computers, two-factor authentication can provide an additional level of protection, as the verification code delivered through the phone is only valid for a short period of time, he said.
Those with different online identities for Google Apps for work and Gmail for personal communications will be able to program Google Authenticator with both identities, allowing them to generate different codes for each account.
Google began work on Authenticator almost 18 months ago. The company’s staff have all been using it internally for the last three months, Feigenbaum said. That testing allowed them to optimize features such as the code length, he said.