Wednesday, March 9, 2011

Google Double Authentication

Although can be initially a bit confusing (despite them having very clear help), the Google Authenticator is a great second-level authentication method. It is as simple as this: If you have a smartphone you can authenticate that phone and install Google Authenticator on it. Now anytime any access to your account is needed, two things are required: Your password *AND* your activation code that you get from a real-time computation on your phone (changes every minute or so). Don't worry, you don't have to re-enter it all the time, your credentials are saved as a cookie (if at home). If out publicly, I certainly hope you don't save it as a cookie -- be sure to uncheck 'keep me logged in' on shared computers if you have no idea what I mean.

If you lose your phone, there are backup codes (10 that can be used only once before regeneration is required). There is also the option of adding a trusted friend's number as a backup phone.

It is a good step towards better security, and actually allows you to use weaker, less secure passwords (though I don't recommend that). I personally have a very long password coupled with this second-layer authentication. Of course, it has not been unheard of for sites themselves to have exploits that breach customer data. In my case, that (I hope) is the only point of vulnerability. I dare not say it couldn't be hacked though, because as soon as I said that, somebody would find a way and do it -- via social engineering or whatever mechanism ;o.

This makes me sleep better at night, despite my secure password. Now I know the attacker must also have my phone to 'get in'.

Thanks to Google for providing such a service ;). Nice job guys.

No comments:

Post a Comment