The recent roll out of Google’s 2-step authentication to the general public means a higher level of authentication than just entering a username and password to access your gmail account. This is good news for the identity verification market. Google has taken steps to apply 2-factor authentication similar to what the banks have applied in granting customers access to online banking information, only instead of using a shared secret they are using out of band authentication.
I’m glad to see Google starting to address the risks cloud-based free email accounts pose for identity theft. However, I predict the process is going to be a bit too kludgy for the majority of consumers to embrace, and apparently I’m not the only one to point this out. Take a look:
Further review under the learn more section shows that you can set up your account so that you only have to log in using a one-time passcode sent to your phone every 30 days, instead of every time. This should help adoption, but probably from only people really comfortable trying new technology tools or those who might have already been a victim of an email hack. This method means Google is betting on the majority of consumers having their phone nearby when logging into their email, or more than likely will be logging into their email on their phone. It’s probably a pretty good bet since being without a cell phone probably feels as close to being in the desert with out water to most people but the practicality of applying verification in this fashion ties authentication to a device that can be easily lost or stolen. And either every time or once every 30 days you’ll have to pay for a text message with your one time passcode so that you can log in and check your email from the computer you always use.
I’m interested to know how the privacy advocates react to this change. I think the implications of Google collecting phone number data on its millions of consumers might be a concern, especially given the other privacy issues being discussed related to behavior tracking and advertising.
Google is sophisticated and smart, and clearly concerned with identity and security, so I’m sure they will evolve this process over time to make it better and safer. This type of out of band authentication is a great idea and strengthens security, but I definitely see a use case for the new product we announced last week which was built to address some of the issues around the portion of “something you know” in 2-factor authentication.