Cloud computing is about making your information easily accessible from anywhere, on any device. Until today, organizations looking to secure their information beyond a password have faced costs and complexities that prevented many of them from using stronger security technologies. Today we are changing that with the introduction of a more secure sign-in capability for Google Apps accounts that significantly increases the security of the cloud: Two-step verification. For the first time, we’re making it possible for organizations large and small to use this technology in just a few clicks for free. In the coming months, we’ll also be offering this same security to our hundreds of millions of individual Google users.
Two-step verification is easy to set up, manage and use. When enabled by an administrator, it requires two means of identification to sign in to a Google Apps account, something you know: a password, and something you have: a mobile phone. It doesn’t require any special tokens or devices. After entering your password, a verification code is sent to your mobile phone via SMS, voice calls, or generated on an application you can install on your Android, BlackBerry or iPhone device. This makes it much more likely that you’re the only one accessing your data: even if someone has stolen your password, they'll need more than that to access your account. You can also indicate when you're using a computer you trust and don't want to be asked for a verification code from that machine in the future.
Two-step verification is built on an open standard designed to allow integration with other vendors’ authentication technologies in the future. We are also open sourcing our mobile authentication app so that companies can customize it as they see fit.Two-step verification continues Google’s stream of security innovation. In early 2009, we added the ability to view password strength and set minimum password length requirements for Google Apps accounts. Later in the year we were the first to provide HTTPS encryption to millions of users, and in 2010 Google Apps was the first cloud messaging and collaboration service to gain US government security certification.
Administrators for Google Apps Premier, Education, and Government Editions can activate Two-step verification from the English version of the Admin Control Panel now, and Standard Edition customers will be able to access it in the months ahead. Once enabled by their administrator, end users can set it up in the Accounts tab in Gmail settings.
40 comments:
I think this should be made a defacto for all Google Accounts. People can opt out if they want but this will be a saviour for many.
I am curious as to how and when this will be incorporated into the Google Data APIs. Specifically:
* If two-step verification is enabled, will API access be allowed before the API supports two-step verification?
* If apps using Data APIs need to incorporate entering a verification code, some facility for apps that operate in the background or unattended will be needed. I assume this could be a mechanism similar to indicating that the user is using a trusted computer.
This sounds like an excellent new feature. Previously I had to mess with external SAML solutions that were never as robust for using with mobile devices and had to be enabled for everyone, not just higher-security accounts. This implementation looks like it will be far easier to deal with.
However, I'm wondering if this has been enabled for Google Apps accounts that have been transitioned to full Google Accounts?
I've enabled it in the Domain settings but none of my users are seeing the link to actually set it up on their Account page -- only the usual "Change Password" and "Change Authorized Web SItes" links are appearing.
good job
It would be great if this was a standard option on ALL of Google's services. This is the best way ahead for cloud services. Google...you really are on the leading edge of things.
Using SMS in addition to a password to authenticate users is a huge step forward in protecting users and their data. In order to access your account, an attacker would need your password and physical access to your cell phone - virtually eliminating the possibility of phishing and password cracking.
While it should be fairly straightforward to add multi-factor auth to existing browser based web apps, it would probably be a challenge to deploy on rich native apps. (mail clients, IM clients, etc)
Its really wonderful and extraordinary feature to protect all the google apps! But will have to wait for few days to activate it? Thanks for the update???
This is fantastic, adding an extra layer of security for information particularly business information is never a bad thing and it puts Google apps on par with the security used by many banks.
Hopefully this will help ease the fears around data security in clouds even if only a little.
this is great in theory but its a system thats been used for years by banks. It is more secure but however it is flawed. You then putting access to a device and if that device is stolen or lost it puts the whole system into risk and becomes a lot harder to recover from. Great way to choose to upgrade your security but is not a new standard of password protection.
Is Google SAS 70 certified?
I love Google who are changing the world!!
From what I've seen elsewhere, this may be based on the same mobile applications used for VeriSign PIP.
If that's true, will we be able to register a physical VeriSign credential device (via its serial number) if we already use one for other purposes, optionally in lieu of installing an app on a phone?
This is a good start. I have never understood why multi-factor authentication is not more widely used. I would like to see more options on the second factor. I don't like the idea of a dead or lost cell phone when I need to access my account. Maybe a third party authentication provider like Yubico.
My audience at Business Tech Weekly will greatly appreciate this. Thanks for releasing something to Google Apps users first. Can I get the new Contacts system now?
Will the mobile app work without connectivity? And if so, is it vulnerable to a theft of your phone's backup files form your computer?
I wonder if its going to cost you anything as a user. SMS's aren't free :)
Having an app on my phone behave like an RSA-style fob is a brilliant idea.
I'm just wondering, though, why would you only roll this out to Google Apps users, it would seem just as equally useful to regular GMail users too?
Is it possible for you to add Verisign PIP card support?
Am I right in thinking this is following the OAuth 2.0 draft? Been a few weeks since I read if there was any changes, time to activate!
How do we use this on Android. Once enabled I got a notification that it could not sign in to my Google apps account which is to be expected. When I clicked the notification it loaded the screens you see when first adding a Google account to Android but then just loaded the web Google Mail page instead. Where do I enter my IssuedAuthSubToken?
I'm able to enable it in the apps, domain management section, but then on the user-side do not see any option to enable it in gmail -> system -> account (even after clicking on the link 'google account settings.'
Does it not work on administrator's accounts?
Thank you for the feauture - we've long waited for it. But still I can not see any way to activate it in our premier control panel. Is it country specific or something?
Bravo!
Good idea but...
what if I lose my phone?
Or if someone stoles it?
Murphy is always around!
Have Apps Premier and not seeing any option to enable in Control Panel/Domain Management even though I have next generation, automatically add new services, and enable pre-release features all enabled.
Perhaps it's a rolling release and will take some time to reach all eligible domains?
Rob
Thanks for this excellent feature :)
Hello,
from when it will be activated? or we got to enable some settings?
This is a good idea ... But...
Google Calendar has sms notification. This notification does not work reliably (well). For example: Users of Orange Slovakia do not receive sms notification (about 3 months ago). And this error is not on the Orange side.
And now - my google account is protected by sms notification and it does not work... Users are with out access to the account.
As anyone been able to get this to work with a "Full Google Apps Account" or "Google Apps +" account? We enabled the full features as an early adopter, and even thought we turned on Two-Factor availability, users do not see the option in their account settings to self-enroll / opt-in.
This is a nice advancement, but like so many strong authentication approaches, does introduce friction into the authentication process, both by requiring a second device channel (my phone's SMS won't work on a plane, while wifi on my laptop will) and requiring a read-and-type exercise as part of each login.
I think fingerprint ID should be offered as an option for those who want the highest level of security - who you are, but also want authentication to be forget- and phish- proof and be fast and easy.
Have you looked at BIO-key's web-based fingerprint biometric authentication (www.bio-key.com)? BIO-key doesn't aggressively market themselves, but BIO-key web-based fingerprint authentication is used by AT&T, LexisNexis, McKesson, Allscripts and several worldwide banks, because it allows a web app to authenticate using any browser and a USB or built-in fingerprint reader - including the ones in laptops and smartphones. Fingerprints aren't stored, and it's designed to run in the cloud, and supports device sharing between users - authentication happens centrally in Google's environment, so it's portable. BIO-key is about to come out with an OpenID implementation to use, as well.
Most business laptops and 3 out of 6 of the laptops being currently sold by Costco have built in fingerprint scanners - ready to be used by Google to strongly authenticate their users in a cool and convenient way.
Even the stodgy DEA revised their initially token-only rule for ePrescribing controlled substances to allow for BIO-key fingerprint biometrics after many BIO-key customers lobbied for it to be added to the regulation.
In regards to John Brayton's question about GData APIs:
Once two-step verification is enabled on a domain, it will still be possible to use GData APIs that require authentication. In this case, the ClientLogin Auth method will no longer work with the regular account password. However, one can generate an access code (see: http://www.google.com/support/a/bin/answer.py?answer=1032419), and this access code can be used in place of the password for ClientLogin-based authentication.
If an API supports an OAuth authentication method, then this auth method should work the same way with two-step verification activated or not.
- Michael
We don't need this for ordinary logins. But it would be great if one could enable it for admin functions/login to the admin panels.
Would like to enable this option for my GAFYD. Unfortunately, as reported by others as well, I'm getting the message when trying to enter the "services" button in "Organization and Users"
"We are unable to process your request at this time. Please try again later. (Error #1000)"
Leaving me unable to enter any settings.
Well, closer now... I enabled the feature in the Control Panel but my email doesn't seem to have any new options in Settings/Accounts/Google Account Settings. Is it because I'm an admin and the feature is not available for admin accounts though I didn't see that limitation in today's email or recent blog entries??
Rob
We are living in the African Bush. Connected only by Satellite to the internet and without any Cellphone or regular Phone reception at all. The only thing we got is Skype. So, how can we further use Google Apps if we are absolutely unable to make use of that new feature? Are we now blocked out?
When can we get this SMS feature in Ireland?
Will there be an app for Nokia Symbian OS?
Cheers,
Kirk
Yes, LloydsTSB have had it in play for a while now. Great idea, but practically useless. You have to be in a good reception area for starters. I have to go outside to get a signal!
And, if the LTSB system is anything to go by slow typers will never get started.
Great to see Google moving away from static passwords to a one time passcode, but surely there must be a way to have generate a one time passcode without sending the user an SMS (not guaranteed) or having some form of token/app that might not be available; come on Google, you've bought everything else into a web paradigm now do the same with strong authentication!
Am I the only one that can't figure out how to make this jive w/ my Blackberry email and even Google email app for Blackberry?
Works great for desktop/browser sessions, but w/out working email on mobile device it's too inconvenient.
What am I missing?
We've had a couple of questions about why this feature is not available yet. There was a subset of accounts that couldn’t accept the new feature initially, but the rollout should now be finished.
Also there were a few questions about the API. API access requires OAuth or use of an access code with ClientLogin. It's not possible to access APIs with just a user's password. You can generate access codes here: https://www.google.com/accounts/IssuedAuthSubTokens
New comments are not allowed.