Google introduces 2-step account verification, but is it too much to ask of users?
Google today announced 2-step verification for account holders. The new security feature is rolling out gradually; I haven't received the update and so couldn't test the new feature. I like the concept but wonder how many people will bother to set it up or will cringe at the steps required to use it.
Like so many other cloud services, Google requires a username and password to login @gmail.com. The new mechanism adds a verification code received by cell phone. Additionally, there are 16-digit app-specific codes for e-mail clients and other applications. The extra layer of security is compelling, but is in some ways daunting.
In a blog post, Nishit Shah, Google security product manager, said 2-step verification could take as long as 15 minutes to set up. "Once you enable 2-step verification, you'll see an extra page that prompts you for a code when you sign in to your account. After entering your password, Google will call you with the code, send you an SMS message or give you the choice to generate the code for yourself using a mobile application on your Android, BlackBerry or iPhone device. The choice is up to you. When you enter this code after correctly submitting your password we'll have a pretty good idea that the person signing in is actually you."
The idea is simple: If someone gets your ID and password, they would still need the verification code -- received by cell phone -- to access the Google account. The code is either required for every login or once every 30 days, depending on settings. Google also asks for a second phone number, as back up should the user lose, say, a cell phone. For applications, the 16-digit code replaces the user's normal password. These only need to be set one time.
I can speak from experience about the dangers of the current username/password mechanism. Over the holidays, my daughter received a YouTube security alert about her account being hacked and asking to log in to the account. It was a phishing message, and the website a fake. She signed in, and hackers seized control of her Google account ID and started spamming her YouTube account. Google responded quickly to my request to recover the account. It's unclear without testing 2-step verification whether the mechanism would have prevented the phishing attack.
The timing is important for Google. With 300,000-plus activations per day, Android is generating lots of new accounts. It's smart to offer the extra layer of authentication, which is as much about the future as the present, as Google Checkout expands its payment service.
Both processes -- setting up initial account verification and application-specific codes -- are a lot to ask of computer users. I'll do it. Is it too much for you? Please respond in comments, or e-mail joewilcox at gmail dot com.