“We’re excited to be making 2-step verification, our two-factor authentication account security system for Google Accounts, available to any Google user beginning today,” said a Google spokesperson, adding that Google is introducing additional features to make the security controls more widely available and easier to use.
Authentication is the process of verifying that you are yourself–the legitimate owner of the account–before allowing access. Authentication relies on something you know–such as a password or something you have, like a mobile phone–or something you are, like a fingerprint.
The problem with the standard authentication model is that it relies only on something you know–and that something is often easily guess, cracked, or otherwise compromised. While a username may seem like “something you are,” it is just a word, so it is actually “something you know”–which is generally not protected or kept secret, so it is a non-factor. That leaves the password.
As incidents such as the Rockyou.com and Gawker.com data breaches illustrate, the majority of users depend on weak passwords that are trivial for an attacker to discover. Many people also rely on the same user name and password to protect all of their various accounts–making that one password a proverbial key to the entire kingdom of their digital life.
Once an account is compromised, the attacker can modify details, such as the alternate e-mail address, phone number, or other contact information, making it extremely difficult for the legitimate owner to reclaim the account.
That is where the Google two-step verification protection comes in. With the new Google authentication, you need a code that is sent via SMS to your mobile phone in addition to the standard password.
A blog post from Google announcing the new feature explains, “It’s an extra step, but it’s one that significantly improves the security of your Google Account because it requires the powerful combination of both something you know–your username and password–and something that only you should have–your phone. A hacker would need access to both of these factors to gain access to your account.”
The feature will be rolled out to all Google accounts over the next few days. The initial set up will take about 15 minutes according to Google. Google has made the setup process more user-friendly, and has also expanded availability to more countries.