Between the Lines

Larry Dignan, Andrew Nusca and Rachel King
Home / News & Blogs / Between the Lines

Google tackles password weaknesses with two-step sign-on

By | September 20, 2010, 2:01am PDT

Google is making it much harder for critics to question the security of its cloud-based products. Today, the company is announcing a new two-step log-in process that aims to strengthen the password security model by adding a dynamic layer.

The extra layer comes in the form of a numeric code that a user types in after entering the standard password into a Google account. That code, however, is a code that changes, unique to a single sign-on.

The code comes to the user by way of SMS, an automated phone call or a smartphone app and users have the flexibility to identify a regular computer, bypassing the need for a numeric code for subsequent visits.

In a blog post, Google points out that passwords are often the weakest link in a security chain. The company wrote:

Entering this code, in addition to a normal password, gives us a strong indication that the person signing in is actually you. This new feature significantly improves the security of your Google Account, as it requires not only something you know: your username and password, but also something that only you should have: your phone. Even if someone has stolen your password, they’ll need more than that to access your account.

The service is free and will be rolled out first to Google Apps accounts. Eventually, the service will be added to all Google accounts.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Between the Lines”

Topics

Security, Google Inc., Password, Sam Diaz

Sam has been a technology and business blogger for more than 18 years.

Disclosure

Sam Diaz

Sam Diaz has nothing to disclose.

Biography

Sam Diaz

Sam has been a technology and business blogger, reporter and editor at ZDNet, the Washington Post, San Jose Mercury News and Fresno Bee for more than 18 years. He's a member of the National Association of Hispanic Journalists and a graduate of California State University, Fresno.

56
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Google tackles password weaknesses with two-step sign-on
tomlin21-24319035676893835085146735905770 11th Oct
I've to many thanks for this about paragraph .I surely cherished every single small minimal little bit of it. I've you bookmarked your community large web site web based web site to search for out during chestnut ugg the latest things you space.
View in thread
0 Votes
+ -
But then I'd have to link the phone to the account
guihombre 20th Sep 2010
To use that you'd have to link your phone to your Google account.

... tick tick tick...
0 Votes
+ -
phone number ??
jkallega 20th Sep 2010
why should i hand over my phone number to google ??
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
Schoolboy Bob 20th Sep 2010
@jkallega Oh, man. If you are afraid, don't get an android phone. I didn't answer yes the first time I had to sign my life away with mine, but I quickly learned that I had to - android is pretty lame without entrusting your life to google. I am still uneasy about it.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
rengek 20th Sep 2010
@jkallega
Doesn't have to be your phone #. It can be your google voice #, it can be some # that is linked to an SMS messaging service. Think beyond your phone #.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
jmp_omaha@... 20th Sep 2010
@rengek

And you cannot sign in to Google Voice because they have a password and a key code linked to it and your Google Voice is a closed system - closed to everyone including you.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
Drew Hintz 20th Sep 2010
@jkallega You can use the Authenticator app on your Android, iPhone or BlackBerry without using your phone number:
http://www.google.com/support/a/bin/answer.py?answer=1037451
The app is also open source so anyone can see what it does and compile it themselves: http://code.google.com/p/google-authenticator/

(Disclaimer: I work on the Android app.)
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
Pete "athynz" Athens 20th Sep 2010
The weakness is a password so let's have our customers enter 2 passwords... yeah, that'll work out just fine.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
CobraA1 20th Sep 2010
@athynz It's not actually a static password. It's a number that changes every time you log in, passed to you via SMS.

You will not have to memorize it.
0 Votes
+ -
It isn't 2 passwords
colinnwn 20th Sep 2010
@athynz

Two factor authentication isn't "2 passwords." It is something you know (password) and something you have (your phone).

The 2nd phone based "password" isn't a password, it is a one time use key that verifies you have your phone in your possession right now, much like the access cards some companies require you to use to sign onto the company network from off site.

The other option would require you to plug your phone into the computer you are using to access Google Apps, and that wouldn't be very user friendly.
0 Votes
+ -
Ummm
hoagsie 20th Sep 2010
If the authentication cookie is unencrypted a man-in-the-middle attack could still sniff it out and use that to be able to impersonate you unless the session identifier is generated with help from the authentic user's IP address.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
CobraA1 20th Sep 2010
@hoagsie Last I checked, their login stuff was all encrypted.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
colinnwn 20th Sep 2010
@hoagsie

What makes you think the authentication cookie isn't encrypted? It is very likely an encrypted hash of the computer's wired MAC address, that must match the computer accessing Google Apps, and some other random data so it can survive IP address changes due to NAT routing and not be usable on another computer.

Not encrypting the cookie and being possible to use it on another computer would be a very basic security precaution. I am sure the very smart Google engineers have this more under control than that.
0 Votes
+ -
All accounts?
wolf_z 20th Sep 2010
Guess I'll have to find another free email provider for my junk mail. Sigh. I don't have an SMS capable phone and even if I did Google doesn't need to know my phone number.

Epic Fail.
0 Votes
+ -
From the sound of it . . .
JLHenry 20th Sep 2010
@wolf_z

"and users have the flexibility to identify a regular computer, bypassing the need for a numeric code for subsequent visits."

But it DOES sound like you'll need one to set it up initially. . . Maybe if you're computer only, they have identified that, and won't bother you with this . . .
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
CobraA1 20th Sep 2010
@wolf_z I'm pretty sure it will be optional.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
Drew Hintz Updated - 20th Sep 2010
@CobraA1 Correct, enabling two-step sign on for your account is optional.

(Disclaimer: I work on the Android app.)
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
colinnwn 20th Sep 2010
@wolf_z

This is for Google Apps, not for Gmail. And I am positive it is only required if the company network administrator for Google Apps sets it up as a requirement.

So basically there is no need for you to do anything, as it doesn't apply to you.
0 Votes
+ -
This may work, but still suffers from the fact that...
JonathonDoe Updated - 20th Sep 2010
the more passwords that are required, the harder it is for people to remember them all, and the SIMPLER people make them.

A better answer is to use and enforce pass-phrases. They're easier to remember, more complex by their very nature, and as a result far harder to crack. If the user throws in some case changes and numerics, they're pretty darn secure.

Simple examples:
Please-let-me-in.
PleaseLetMeIn?
pleaseletMEin!
Pl34s3l3tm31n
... and so on...

Yeah, nothing is perfect, but pass-phrases are easier to remember yet harder to crack.

Just my $0.02, and as the man says, ''you're mileage may vary''

Regards,
Jon
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
rhonin 20th Sep 2010
@JonathonDoe
You are so right.
They really need to swap to pass phrase
Nice one.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
CobraA1 20th Sep 2010
@JonathonDoe This is not something that needs to be memorized.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
colinnwn 20th Sep 2010
@JonathonDoe

There is nothing to stop you using a passphrase for your regular password.

This 2nd "password" really isn't a password. It is a one time use key you read off your phone. It would do you no good to memorize it, because it would no longer be valid about 60 seconds after it was sent to your phone.
0 Votes
+ -
Nothing stopping
archangel9999 20th Sep 2010
@JonathonDoe There's typically nothing stopping you from using a "passphrase" as your password

In this case, the second passcode is randomly generated and sent via SMS as a two factor ID - it's a one time use and an attacker would have to intercept your SMS message and use it before you do - of course if they link your IP address or session identifier to the generated code even that wouldn't work

This is better than having to carry around a token for every site you need to do two factor ID on. It's also much better than the typical attempt at secondary authentication using simple canned questions that could be guessed or researched.
0 Votes
+ -
Imagine the future
guihombre Updated - 20th Sep 2010
President Glenn Beck secretly demands the call records from Google for all the worlds conversations be handed to the NSA, for 'national security' purposes.

EU turncoat Barosso, offers all EU data in violation of privacy right, says his token toady will ensure it isn't 'misused'.

Complaints of Americans rights are dismissed and shouted down by Fox.

Here Google collects more data, linking phone to email and that linkage is there, just waiting for another power hungry nutter to grab it. No different to all the banking data and phone data Bush grabbed.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
CobraA1 20th Sep 2010
@guihombre Wow, you have some crazy fantasies. And some real hate for the political right, it seems. Seriously, didn't need to drag politics into this.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
tkejlboom 20th Sep 2010
@guihombre

Seriously, it is not in the bill of rights that someone should be permitted to interact with society with complete anonymity. Go back to your cave. I can't believe you gave ZDNet your information.
0 Votes
+ -
Phone numbers...
rplace@... 20th Sep 2010
If you're really concerned, get a free Google Voice number and use that for authentication. Keep your mobile number to yourself.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
teachermac@... 20th Sep 2010
@rplace@... And your Google Voice number is linked to?
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
steeleblue_cactus 20th Sep 2010
Perhaps I'm confused (not surprising) but does this mean that eventually I will have to sign in with a second one-time numeric code each time I access my e-mail? If so, then how do I program that into my smartphone to automatically poll for my mail every 5 or 15 mins?
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
CobraA1 20th Sep 2010
@steeleblue_cactus Email applications will likely not be affected - only the website will be affected. It is also likely this service will be optional.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
colinnwn Updated - 20th Sep 2010
@steeleblue_cactus
This is not for Gmail unless it is part of a Google Apps package used by your company. Home Gmail users will not be affected. For Google Apps Mobile Gmail users on systems that require 2 factor authentication, you will probably be required to use an official Gmail App that bypasses the 2 factor authentication in exchange for having the app encrypted and a password on your phone, rather than using a generic POP or IMAP email app.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
tkejlboom 20th Sep 2010
@steeleblue_cactus

You can stay logged in on your home machine or phone. Also, you could still IMAP in without any of this.
0 Votes
+ -
What if you don't want to give Google your phone #?
mr1972 20th Sep 2010
I am probably the only person on the planet that hates getting text messages. I also don't like to give my phone number out as I dislike getting marketing phone calls.

I wonder if they would send this number to my hotmail account? /joking/
0 Votes
+ -
This will put off a lot of people
Reged 20th Sep 2010
... unless it is voluntary. I really am not fussed if the KGB et al access my accounts - there's nothing there worth a fuss - but I would be a bit ticked off with having to do something else to log in.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
Drew Hintz 20th Sep 2010
@Reged Yes, this is optional.

(Disclaimer: I work on the Android app.)
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
dlsmith7289@... 20th Sep 2010
...or...here's an interesting alternative...let the user (ME!) decide what level of security I am comfortable with. Personally, i'll stay with what it is now. Those that tremble at the thought of Google having their information will too.

On the other hand, those that tremble at the fear of someone breaking in to their account and reading the love letters sent to their wife's best friend will obviously select multi-level security.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
colinnwn 20th Sep 2010
@dlsmith7289@...

There is nothing here suggesting that home users of Google Apps will be required to use 2 factor logon. This is only for business users of Google Apps, where the IT security department sets it as a requirement. In that case, the business is making security choices for you and they don't want you to be able to circumvent them.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
prof.ebral 20th Sep 2010
Gawd!!! This is a dumb answer. Why not just have everyone make a physical appearance at the Google office? That should fix things ... until an ID is stolen.

What happens if the phone is hi jacked?

A better idea is to register an IP. Your IP is known as soon as you access a web page, so an IP is common knowledge. Then if anyone tried to access your account from a different IP ... then you could throw up more shields.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
CobraA1 20th Sep 2010
@prof.ebral

"What happens if the phone is hi jacked? "

They still need to know your password to get in.

"A better idea is to register an IP."

No, it's a worse idea, because it's easily sniffable. The idea here is that the cell network is separate from the internet connection, and chances are the hacker is not looking at both networks simultaneously.

"Your IP is known as soon as you access a web page, so an IP is common knowledge."

The last thing you want to use to secure yourself is something that is common knowledge! That defeats the whole purpose of this type of security. Because if it's common knowledge, then the hacker has access to it too. And the hacker can use it against you.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
tkejlboom 20th Sep 2010
@prof.ebral

If the phone is hijacked, they still need your password. If you use DHCP, your IP address changes, and if you've several people on a NAT in a small business, you've got one external IP a for all those people.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
T in Gold Beach 20th Sep 2010
This "solution" is made by a security professional (probably the same one who sais your pw has to be 12+ characters with a special character and number that has to be changed every month). This is not a real world solution.

Case 1 Wife signs on computer, phone upstairs.

Case 2 You sign on computer, wife has cell phone you left in car at store.

Case 3 Someone finds you're cell phone (in a bar ?) and signs on with "secure code"

Case 4 You check mail on iphone and google sends you code and you call Steve and Apple asking them to recode OS 4 to allow auto mail checking rather than using Safari.

Case 5 You get telemarketets on cell cause "someone" took numbers home on a thumb drive.

Case 6 You switch email providers-----wait, isn't that Case 1?
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
tkejlboom 20th Sep 2010
@T in Gold Beach

None of your comments make sense.

1. You can OPT into to the program, and STILL exempt your home PCs.

2. You OPT in, and what are you 80? You leave your phone in the car? Well, if you're not at home or at your office with a lock on the door, you're SOL.

3. You still need to sign in and enter your password.

4. None of this makes sense, but probably because you're a fool who bought an iPhone.

5. Your phone provider is much much much more likely to have poorly paid disaffected individuals with access to this information than Google is. If you're really worried about this, clearly the only solution is to not have a phone.

6. Yes, please switch, and no longer comment.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
CobraA1 20th Sep 2010
@T in Gold Beach

"Case 1 Wife signs on computer, phone upstairs."

A valid concern.

"Case 3 Someone finds you're cell phone (in a bar ?) and signs on with 'secure code'"

The "secure code" will not log anybody in by itself. It has to be used with the user name and password.

"Case 5 You get telemarketets on cell cause 'someone' took numbers home on a thumb drive."

Again - they also need your password.

In addition, the numbers expire in a short period of time, usually thirty seconds. The numbers will be useless if somebody takes them home on a thumb drive.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
T in Gold Beach 20th Sep 2010
@CobraA1

To clarify case 3 my phone has pw and id in it for gmail under settings. If lost, finder can check email unless phone is locked. Second step doesn't add any security if code is texeted to phone.

case 5 Meant if you supply phone no to google, it's just another data base available for abuse.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
CobraA1 21st Sep 2010
"To clarify case 3 my phone has pw and id in it for gmail under settings."

So right now, they don't even need to know your password to login?

So right now, you have zero security.

Yeah - obviously if you don't care about security that much to begin with, there's not much anybody can do.

That doesn't mean this isn't helpful to other people.

"case 5 Meant if you supply phone no to google, it's just another data base available for abuse."

I don't think it's any more likely to happen with Google than with any other company that has your number.
0 Votes
+ -
Google... Make a QR code an option for webcam users
colinnwn 20th Sep 2010
I hate having to type in the second passkey on my Citrix Smartcard. If you have a webcam, Google should make it to where it sends your smartphone a one time use QR code that you can hold up to the webcam and it reads.

They could do something similar with any computer that had a microphone. They could call you and send touch tone codes over the earphone that you hold up to a computer microphone.
0 Votes
+ -
You have GOT to be kidding!
fm-usa 20th Sep 2010
Hummmm, (near future). .
Please enter your password,
'- - - - -'.
Thank you, now enter your private number,
'- - - - -'.
Thank you, now enter your last 4 digits of SS#,
'- - - - -'.
Thank you, now enter your personal ID,
'- - - - -'.
Thank you, now enter your last known date of login,
'- - - - -'.
Thank you, now enter your job start time,
'- - - - -'.
Thank you, now enter your . . .

MY GOD! WHEN WILL THIS ALL STOP!?!?!?!?!
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
CobraA1 20th Sep 2010
@fvm I can see that happening, but it will not be any more secure.

The idea with using the cell phone is that you are confirming that you have access to something you own and the hacker does not - you're not just throwing around an extra number for the sake of throwing around another number.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
lgwhitlock@... 20th Sep 2010
This sounds like PhoneFactor at work. I tried this out a couple of years ago and it worked well at the time and they were hard at work expanding it's use. Nice job Google.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
CobraA1 20th Sep 2010
Please, people, read up on how this works before replying - I see a lot of misconceptions about how it works floating around.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
gkiefferjfk2@... 20th Sep 2010
In days of old [BBS DAYS OF THE LATE 1980's & EARLY 1990's] BBS operators had the AUTO PHONE VERIFICATION SOFTWARE [Yes kiddies such software has been floating aaround bbs's since the late 1980's] and when someone enters their PHONE NUMBER they get a AUTO CALL BACK and need to enter the same info - NAME, ADDRERSS, AGE, ALT-ID like dogs name, mothers maiden name, school attended, first car color, etc] AND Then you were fully registered.
0 Votes
+ -
RE: Google tackles password weaknesses with two-step sign-on
tomlin21-24319035676893835085146735905770 11th Oct
I've to many thanks for this about paragraph .I surely cherished every single small minimal little bit of it. I've you bookmarked your community large web site web based web site to search for out during chestnut ugg the latest things you space.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix