Google has recently enabled two-factor authentication for Google products like Gmail. What is two-factor authentication? It means that in addition to providing your password, you need to provide a random verification number that Google will send to your phone, either via an app, a text message, or an actual phone call. Thus, to log in, you need two things: a password and your phone. With only one or the other, you can’t get it. This is much stronger than a password alone, which is why some banks have been moving to two-factor authentication for customers. Google’s decision to enable it for email, and for just about everybody with an account, is certainly groundbreaking.
Since I use Google, I decided I’d turn it on to take advantage of the increased security. As reports have indicated, it takes about 15 minutes to set it up, but it wasn’t difficult at all. Since I have an Android smartphone, I was able to install Google’s app that generates verification numbers by simply scanning the QR Code that Google gave me. Once that was installed, I was able to use two-factor authentication to log into my email account. You can configure it to require two-factor authentication every time you log on, or you can remember the login information for 30 days.
Google’s two-factor authentication is not without its issues. Although it works great for any of Google’s products that you access from a browser, like email, Google Docs, Google Reader, and so forth, for stand-alone programs like an IM client, or Gmail on your phone, the extra verification code will not work. For these uses, Google allows you to generate passwords in lieu of your typical password. You need to do this for each service, so if you have a lot, it’s going to be a hassle. Since I don’t use my Google account to log on to other websites, I only had to configure passwords for Pidgin and my phone. If, however, you do use your Google account to log into dozens of other websites, getting that configured is going to be a pain.
All in all, I’m glad Google has made this available to users. I’d like to see it spread to other logins, especially for my financial info. Neither ING Direct nor U.S. Bank have this feature; my credit cards are also similarly lacking. Now that the widespread prevalence of smartphones makes adding this functionality much cheaper than handing out actual physical tokens, there’s no reason not to implement this.