Google's new two-factor authentication scheme is a huge improvement in terms of account security in the public Cloud. But I can't use it for regular day to day use.
Sometimes, with technology, you need to be careful what you wish for.
A couple of days ago I kvetched about needing something better than straight password authentication for sites like Google and FaceBook. I suggested that perhaps we might need to look at biometrics, but I realize that getting that type of thing standardized and deployed into actual products might take several years.
There is another type of authentication mechanism, which is extremely effective at keeping out the bad guys from your applications and accounts and that has been around for quite some time -- it's called two-factor token-based authentication using one-time passwords.
Unlike various kinds of biometrics, this type of system doesn't require new hardware on your PC or smartphone to employ, and has been in use for well over a decade, particularly in the financial industry.
RSA Data Security for example has made a nice business out of this with their SecurID product line, which is deployed as a credit-card sized device or a special keychain "token" issued to each user that displays a new verification code every sixty seconds.
That verification code, when used in combination with the account password, uniquely identifies the user. If you l don't have that authenticator token, you don't get in.
Verisign, now a division of Symantec, has a cloud-based service that allows you to use your existing smartphone instead of a separate hardware gadget as the "token".
What Google has done is pretty similar. Instead of a keychain or a credit-card, it allows you to store an authentication token on your cell phone, be it an Android or iOS device, and have it display the passcode to you in a mobile application. Alternatively, if you don't have a smartphone, Google can SMS your cellphone an authentication code each time you need to sign in.
You can have this set to re-authenticate you each time you log in via the web, or every 30 days.
Now, all of this works pretty well, provided you are just using GMail and Google Apps over the web. It will lock your Google account down like Fort Knox. The phishers and the bad guys won't have a rat's ass chance in hell of breaking into your account.
The problem is, if you use your Google account for anything other than GMail and Google Apps on a browser, it gets a bit more complicated.
In my case, the minute I turned on the two-factor authentication, I broke every single app that I use that authenticates with Google: GMail and all Google services running on my Android phone(s), Mail on my iPad, and my Instant Messenger clients running on my various PCs/VMs and iPad.
It also broke all the web sites which I use that have to cross-site authenticate using my Google account, of which there were about a dozen, including FaceBook and Quora.
This can be fixed, but it's tricky. You have to log into your Google Account settings and issue special passwords for each service and application that talks to Google. I got it working for my Android phone, and for the IM client running on my PC. However, as soon as I realized how many of these I would have to issue to every service and web site that I use that signs in with my Google ID, I said NO MAS!
Now, I'm not saying that there aren't a whole bunch of people that would find Google's 2-factor authentication useful. Not everyone is as gadget and connectivity-crazy as I am. But just about everyone I know has access to at least 1 PC and 1 mobile phone, and uses at least 1 or 2 social networking services, so this could be daunting for most people to deal with.
Where I see Google 2-factor authentication coming into play at least for now is secondary Google accounts that could be used to store critical information, such as financial data, confidential information, et cetera. With these, you'd log in strictly via the web or one or two selected devices running mobile apps, and you wouldn't cross-site authenticate with it.
For that sort of use, I think Google's 2-factor option is great. But for my own day to day use -- at least until they figure out how to make this work better in the complex app/site mix that I swim in, I'm going to pass.
Are you planning to use Google's 2-factor authentication? Talk Back and Let Me Know.