I was pretty shocked when I read this article and realized that I understood something that Google was doing, and why they were doing it, at least generally.
Four hours ago, Jason Kinkaid wrote, about two factor authentication, that "Today, Google is announcing that it’s bringing the security feature to its millions of users: the feature will be rolling out first for Google Apps Premiere, Education, and Government edition customers, with plans to bring it to all Google users (even those who aren’t using its Apps suite) in the next few months." The article incorporates some explanation of what "this new security feature" can offer users, like greater protection against phishing scams and having a password hacked.
I applaud Google for taking this step toward a higher level of security in their authentication process, but is it really going to do what it claims?
What Google says it will do is circumvent the inherently expensive existing methods of 2-factor authentication implemented primarily by major corporations and let the everyday person experience an increased sense of protection from the myriad internet scams and crimes out there. But in order to make 2-factor authentication something that doesn't compromise the high number of Google accounts, Google may be taking a risk in terms of the viability of their 2-factor authentication system. What word(s) stand out to you in the following description of the system?
"Google’s system doesn’t require a physical keycard. Instead, it relies on your mobile phone. First, you need to activate the optional feature from your settings page (...only available to certain Google Apps customers at first). Then, when you go to sign in to your Google account, you’ll first be asked to enter your password as usual. Next, you’ll be brought to a screen asking for a verification code [that] comes from your mobile phone, which you’ve previously linked up to your Google Account."
For me, the word "optional" makes this whole 2-factor authentication "system" more like a feature. It doesn't make using GMail safer. For example, say you use 2-factor authentication because you are smarter than the average bear, but your buddy doesn't know any better. What happens to you when your buddy's email account is hacked and you suddenly get some serious malware on your computer because you opened a link from an e-mail source you trusted? Not all Google accounts are safer. In fact not even the people who use 2-factor authentication are necessarily "safer."
Of course, it makes sense that the feature is optional, since it doesn't seem like Google has a way to ensure that users without smart phones or even mobile phones can pull this off. I think of my poor Grandmother. Kinkaid's article did say, however, that Google would give your landline a ring with the authentication code if you don't have a cell phone. But who is going to do that? And what about people who don't have phones (they're out there... think of people without the resources to afford a phone but were able to set up their own GMail accounts at a library computer, for example).
All in all, I'd say this 2-factor authentication from Google isn't all its cracked up to be.
Posts
It seems as though Google is playing to a larger audience and attempting to make people feel more secure about using the software they put out. While they may genuinely be trying to make their users more secure it seems slightly out of place to make the 2-factor authentication optional. It also seems to defeat the point of it as most people are not going to go to the trouble of making a new password and implementing a second step just to make sure they are safe (may sound strange but its true). I see the potential in government use of the system but I don't believe it will be as widely used in the public.
ReplyDeleteOn a side note, having a 2-factor doesn't mean that a person won't get hacked. It just means that there is a extra layer to prevent someone from manually hacking an account. Like in the post, if someone else sends you an infected attachment or email and you open it, you could be infected as well.
I agree with Michael in that most people are not going to go through with the trouble of making a new password and implementing the phone confirmation step to protect themselves. Another situation to think about: What if you are on a business trip or family vacation and want to login to your account that has cell phone confirmation enabled but your cell phone service provider does not have service where you are in the country or world? If you did not disable the confirmation step before leaving on your trip then suddenly your 2-factor authentication system is actually a barrier preventing you from accessing your own account. This may only temporarily hinder you from accessing your account but if you need to quickly send out an e-mail then you are out of luck.
ReplyDeleteI think Google has to make the two-factor authentication process optional, at least at first. GMail will be more appealing to security-minded users because it offers the feature, but will not be imposing on those who do not want to make a new password, etc. As previous posts have suggested, many people do not want to take the extra step if they have not had any problems in the past.
ReplyDeleteI was also considering what more Google (or any other email provider) can do to improve its two-factor authentication system. Given the nature of email today, it is hard to find a combination of something you have, something you know, or something you are. Implementing some sort of biometric authentication is not nearly as available or convenient as requiring a password and cell phone. This might be a way of the future, but Google's new feature is a step in the right direction. I just do not think protecting email servers has been a top priority yet- transactions at banks and access to buildings with sensitive information do require a two-factor authentication because people have recognized right away the consequences should a security breach occur. However, now that we are seeing more problems that have surfaced from email, perhaps there will be more done to implement a readily available two-factor authentication system.
The idea of a two-part authentication system is definitely a huge upgrade for users who are worried about the protection of information held within their e-mail accounts. Once again, users can help their cause by preparing a difficult password that will make it even more difficult for others (and hackers) to gain access to. The second step with the phone is a work in progress, because they are assuming that everyone has access to a cell phone, particularly a smartphone that will be compatible with the Google feature. But as stated in the previous comment by Epalag, it is definitely a step in the right direction. This new feature will not protect users from ALL harms but it provide more of a comfort level for users knowing there is a higher level of protection.
ReplyDeleteAs for a way in improving the two step authentication feature, I once again have to agree with the previous comment and say that Biometric authentication is the next step for protecting vital information within users' e-mail accounts from others (primarily hackers). As we saw in our field trip to the OIT building biometric authentication is widely used throughout the building as palm reading scanners are the only way to access certain rooms. I do not know how Google with apply a biometric authentication system to an e-mail account but I will not be surprised to see Google introduce something very similar to the idea as the next step for the protection of users' e-mail accounts.
I dont think that 2-step authorization is something that will work if it is optional. As has been previously stated, if its optional, how many individuals are going to go though the trouble just to make their email secure? In addition, if they do go through the 2-step authorization process, is their email really that much more secure? Probably not unless every other gmail user has also gone through the 2-step authorization process. If google wants to make the attempt to secure their gmail accounts it needs to be all or nothing. If every account user participated, it might actually make a difference in terms of security. However, from a business standpoint, is being forced to go through these extra steps going to cause individuals to switch their email to a different provider. All in all, I think that google is implementing this system potentially with good intentions, however all it is is a feel good method to make all googles users feel more secure.
ReplyDelete