Google announced that it is implementing two-factor authentication for Google Apps to improve security. The introduction of more stringent authentication controls removes one of the hurdles for businesses to embrace Google Apps and makes the productivity suite a more viable option for organizations concerned with security in the cloud.
Security is one of the biggest obstacles for many organizations when it comes to considering cloud-based services. Web-based services have the benefit of being available from virtually anywhere rather than being shackled to the local storage of a specific machine, but if users can access the data from anywhere so can attackers.
Despite decades of user awareness efforts, passwords are often trivial to guess or crack. The compromise of passwords at RockYou.com provided a unique opportunity to examine actual passwords used in the real world. A study of the more than 30 million passwords exposed when RockYou.com was hacked found that almost half use names, common dictionary words, or sequential characters like "qwerty".
Those odds don't help IT admins sleep better at night. It is bad enough that half of the lost or stolen laptops, or portable storage devices such as USB thumb drives, might contain data that is trivial to gain unauthorized access to--but voluntarily placing that same data on the Web where anyone with an Internet connection can access it 24/7 is like begging for data to be compromised.
The two-factor authentication strengthens the security of Google Apps by relying on a technology that is nearly as ubiquitous as the Web-based Google Apps productivity platform: mobile phones. If the two-factor authentication is enabled, a one-time authentication code from the mobile phone is required in addition to the standard account password in order to access Google Apps.
For some organizations, the additional protection offered by two-factor authentication can also help satisfy data protection requirements. Businesses that fall under Sarbanes-Oxley, HIPAA (Health Insurance Portability and Accountability Act), PCI-DSS (Payment Card Industry Data Security Standard), and other regulatory and industry compliance mandates must have certain security controls in place or risk serious legal and financial consequences. With the option for more stringent authentication, organizations have a reason to take another look at Google Apps.
There is a potential downside as well, though. While the mobile phone is nearly as ubiquitous as the Web itself, it is also a mobile device that is easily lost or stolen. An attacker with the mobile phone or smartphone in hand would have access to the second authentication factor, and the presence of the Google Authenticator app would be a giveaway that the user has a Google Apps account.
But, it is called "two-factor" for a reason, and the attacker would still have to determine the username and password to successfully compromise the Google Apps account even with access to the one-time authentication code.
With the addition of two-factor authentication, Google Apps is a much more attractive option for security-conscious organizations. IT admins that have avoided Google Apps should re-examine the benefits of the Web-based productivity suite.