Google Doubles Down On SecurityGoogle Doubles Down On Security

While Google Apps has proven to be an attractive option for many small businesses and start-ups, many other businesses (especially those with higher security requirements) have shied away from the service. But a new security feature may address these issues, and in the end make Google's services more secure for all users.Google has announced that starting today (September 20th) they will let administrators of the premium Google Apps Premier, Education, and Government Editions enable two-factor authentication to increase the security of logging into Google App services such as Gmail and Google Docs.

For those who don't know what two-factor authentication is (and strangely, throughout their announcement Google calls it Two Step Verification), it is a simple way to improve the security of logins, relying on something the user knows (usually a username and password) and something a user has (a SecureID card, USB fob, or, as is the case with Google, a phone). If an attacker only knows the password, or only has the second device, they cannot break into the account.

Now two-factor authentication isn't new, it's been around for a long time now. And it's not even unique in web-based services. Other services have used it for a while now and there are even products, such as PhoneFactor, that let businesses use a phone as the second factor in authentication.

But still, this is a welcome sight in the Google Apps and it makes the services an option for businesses concerned about security and also for those who are under regulations that require two-factor authentication. And while it is currently only available for businesses and organizations, Google has said that they plan to roll it out to all users in the near future.

The way the Google service works is simple. Once an administrator has set it up, users can enter a phone number in their profile. Then, when they try to log into their Google Apps, the application will ask for a randomly generated code that has just been sent to the user's phone. The code can be sent via SMS, a mobile application, or via a voice mail (useful if you are using a landline). Once the code is entered (and assuming they've also entered the correct username and password) the user has access to their applications.

For the most part I like this implementation of two-factor authentication. A phone is a much better option than some kind of hardware or card, as everyone has one, people are much less likely to lose their phone or even go anywhere without it and it makes it very flexible for administrators to adjust (employee lost a phone or has a new number? Just change the number in their account).

The Google service also provides users with a set of one time passcodes that can be used if a phone is lost or unavailable, though these codes need to be printed or saved in some secure location.

Of course two-factor authentication isn't perfect. If your system or network has been compromised in some way, then attackers will still be able to access your Google Apps account. But it does help a lot.

Think of it as if your house front door just had one of those cheap knob locks that can be easily circumvented with a credit card. Putting in two-factor authentication is like putting in a real deadbolt lock, not impenetrable, but a lot better.

Does this solve all of Google's security problems? Of course not. And for some businesses, how secure Googles services are doesn't matter at all, as their main problem is the fact that all their data and content is held in the cloud and potentially subject to loss or subpoena.

But for many other businesses, this removes one more reason why they shouldn't think about using Google Apps for their mail, productivity and other applications.