Google Apps adds two-step authentication

The company has introduced a two-stage authentication for business users of Google Apps, in which a verification code is sent to a mobile device

Google has introduced two-factor authentication for business users of Google Apps, aimed at making the process more secure.

Under the system, announced on Monday, a user signs into Gmail and other Google Apps using a password, then verifies the log-in by inputting a code sent to the user's mobile phone.

"Until today, organisations looking to secure their information beyond a password have faced costs and complexities that prevented many of them from using stronger security technologies," said Google Apps director of security Eran Feigenbaum in a blog post. "Today we are changing that with the introduction of a more secure sign-in capability for Google Apps accounts that significantly increases the security of the cloud — two-step verification."

At present, the authentication is available only to companies that subscribe to Google Apps for Business, which costs £33 per user, per year. Customers of the Google Apps cloud service will be able to use two-factor authentication for free. Google Apps Standard Edition users will be able to use the service "in the coming months", according to Feigenbaum.

The service can be switched on for a company's users by an administrator. Once people enter their password, the verification code is sent to their phone as an SMS text, a voice call or generated on an application that can be installed on an Android, BlackBerry or iPhone device, Feigenbaum said.

"Google recognising that passwords are a big risk is a huge step forward," said authentication security expert Jason Hart, who is a senior vice president at two-factor authentication company Cryptocard. "It's a simple matter to get someone's username and password using social engineering or man-in-the-middle attacks."

Hart added the caveat that Google's plan to send a verification code to a mobile device would not be completely successful in areas with patchy mobile coverage, such as rural parts of the UK.

Before Monday, companies were limited to incorporating third-party two-factor authentication into Google Apps. For example, a 2008 article on HowtoForge gave details of how to implement open-source two-factor authentication software in Google Apps.