Will you Enable Two Step Verification on your Google Account?

I tweeted a little about this over the weekend, Google has now enabled Two Step authentication for all accounts (if it has not hit your account yet it will soon).

2-22-2011 7-50-49 AM

What is Two Step authentication? Simple in addition to your password, you need a 6 digit random code, which you can obtain via an app on Android, Blackberry and iOS, or via SMS or Phone.  The code is randomly generated, unique to you, and time based changing every 30 seconds or so.  What this does is make it so that a hacker just getting your password alone does not allow them to hijack your account.

I have had a PayPal Security key for my PayPal account for a couple of years now, and am very happy to see Google add this option, I would like to see my banks, credit card providers, and others add this option as well.

When you enable Two Step Authentication you are given 10 codes to use in emergency in case you don’t have access to your phone to retrieve a verification code.  You do need to decide how to securely save them where you will have access to them if you need them (hint: don’t store them somewhere protected by your google account).

On a PC after initially logging in with a verification code, you have the option to only require a verification code every 30 days. 

Mobile devices and other Google Apps that don’t yet support Two Step Authentication no longer use your google account password, but use a password you generate for your account, so your actual google password is no longer stored on your mobile device or in other applications, you can also revoke the application password at any time from your google account page.  In this example I named this password ‘Android’ as it is the one I created to use on my phone.

2-22-2011 7-41-48 AM

You can create multiple application specific passwords, after you clear the password off the screen there is no way to retrieve that password again, if you need it again you simply create another one (and preferably revoke the ones no longer in use).

So Two Factor Authentication adds a little overhead to your account, requiring you to retrieve and enter the code on logon, and manage application specific passwords.  To me the few seconds it will cost me here and there is completely worth it for the security it adds.  I have seen far to many people have their accounts hacked recently, and even though I use secure passwords, and change them (somewhat) regularly, I really feel better about my account security with Two Step Authentication enabled.

Will you turn it on for your account? It is available for Gmail accounts, and Google Apps for Domains accounts, though in the latter the option has to be enabled by the domain administrator.

The Official Google Blog: Advanced sign in security for your Google account

2 Responses to Will you Enable Two Step Verification on your Google Account?
  1. Uwe Brahm
    February 22, 2011 | 11:14 am

    Question:
    Will this kind of security be made
    available for Domino iNotes (or any
    other authentication system) as well?

    Uwe s

  2. Chris Whisonant
    March 1, 2011 | 2:35 pm

    Uwe why would anyone want that for iNotes? Besides, if you use things like RSA, you can have an enterprise-grade true two-factor authentication. If you want the added security of something like that with iNotes, then it’s possible today to do that. Also check out Lotus Mobile Connect.