Recently I signed up for a small slew of new-to-me Google services — Google Voice, Google Talk, and Google Reader (which now serves as my browsers' home page). These are in addition to all the Google goodies I'd already been using, including Analytics and Docs, plus those extra Gmail accounts that work so well as throwaways for logging in to websites. Along the way Google asked me if I'd like to avail myself of their two-factor authentication system for my main account, to provide additional security and help prevent someone from hijacking my collection of all things Google (not to mention my identity). It turns out that this has been available from Google since early this year; evidently I missed that memo, but better late than never.
If you also missed that memo, two-factor authentication is the simplest form what's known in the trade as multi-factor authentication. In a nutshell, two-factor authentication provides increased security by relying upon the presence of two components for login: something you know, such as a login ID and password; and something you have, typically a physical token like a USB dongle. Both these items are required at the moment authentication is desired, and neither is useable alone for any purpose. Single authentication schemes only require your username and password, and as we know these are subject being appropriated by hackers, thieves, and other assorted bad guys. To make matters worse, computer users tend to eshew long and complicated (but more secure) passwords, as they're a pain to remember. The benefits of two-factor authentication are substantial, especially if you're as paranoid about security as I am.
Last week I went through the process of setting it up for my main Gmail account, with which I log in to all things Google. In this case, the second factor consists of an app called Google Authenticator, which installs on mobile phones (yes, there are versions for Android, iPhone, and even my trusty Blackberry). The app, which can be downloaded free from Google's mobile site and installed, generates numeric codes that change at random intervals, although no code seems to stay on the screen for longer than ten or so seconds. Next time I logged in on Google, it presented the dialog box. There is an option to re-authenticate each time you log on via the Web, or to have Google remember that you authenticated for 30 days. And you will have to authenticate for every browser you use, as well as for any and all websites that use Google for authentication. But your account will be tightly locked down, unless of course you've managed to lose both your phone and your computer.
There is a downside over and above the occasional hassle of typing in the extra code, and it's a doozie. Because the two-factor scheme breaks every app you use where a Google-based login is involved. This includes email clients, most of which do not and cannot provide the dialog for entering the code. After you login to Google via the web, you have to go through every app and enter a special Google-generated and -approved password to authenticate via Google. I had to enter the passwords for Apple Mail, Tweetdeck, and even Facebook. The good news is that you only have to do this once per application, and it's done.
The only serious hiccup was my fault, and arose a few days after completing the installation. When I tried to log on to youtube.com using my primary Gmail ID but on a different computer, Google asked for the second factor, and I seemed to have a senior moment. I could have sworn that Google was about to send the code via SMS to my phone. Wait, that's wrong; I have the code on my phone from the installation and have to look for it in the phone. I burned through nearly ten minutes searching -- no love on the phone. But I hadn't bothered to completely read the caption above the dialog, which clearly stated "Enter the verification code generated by your mobile application." That's *application," not SMS or text or even "...by your mobile phone." Confused, a bit frustrated and more embarrassed, I entered one of the backup codes which are issued as the final step of installation, and hot dog! I'm in. It was at that point that I remembered the app on the phone, and carried on.
The takeaway is that two-factor authentication does make one's accounts substantially more secure, at a cost of some inconvenience. The question in my mind is whether this scheme would pay off in the education sector or, as my bank tells me, it would drive off too many customers (that's literally what they told me when I asked if they offered the service.
But it's good enough for Google. Next time I'll endeavor to discover whether it's good enough for the ivory towers of academia.