Do you store important things at Google? Maybe private documents on Google Docs, or all your email on Gmail, or even just your search history? Do yourself a favour and enable 2-step verification for your Google account.

Two factor authentication makes passwords stronger, requiring the user prove themselves with an extra code in addition to the password. The codes are time-limited so they can't easily be stolen and reused. I've been using two factor for my bank and my Warcraft account for years now and I'm glad I can finally protect my Google account. Email accounts are particularly sensitive since so many other websites let you reset your password via email.

Google's implementation is pretty good. Most users will set it up so their second code comes from a simple program on their smartphone and enter it once a month for every new computer. If you lose your smartphone there are backup login options available; a printed code you can carry in your wallet or a backup phone number. There's a bit of extra awkwardness for some applications that don't know to ask for the second auth code; the workaround is reasonable.

The interesting thing is Google is also an OpenID provider. All the pieces are now in place to end passwords. Most web sites (like, say, Gawker) shouldn't have a user password at all, just use OpenID to authenticate via Google. And Google authentication is now quite strong, thanks to two factor. There are business and product barriers to widespread adoption of OpenID logins but it's undeniably more secure.

I'd like to end this post with a shout-out to my friends at Duo Security, a startup developing two factor authentication for easy integration into any site. Check out the demo; it's very slick and the guys running that company are some of the smartest security people I know. Google's gone and built their own system, as they always do. But if you've got a company looking to do two factor yourselves check out Duo.

  2011-02-19 01:13 Z