Given how much data we’re trusting to online sites these days — email, search history, even voice calls — the repercussions to having our account passwords phished, hacked, or guessed are worse than ever. Unfortunately as far as consumers are concerned, account security has been stagnant for years: nearly every service requires a username and password, and that’s it. Cue the scary music and a Dateline special on having your identity stolen.
But today, Google is making things much, much better for those who want it. Update: Google is actually rolling this out over the next few days, so you may not see it quite yet.
The feature is called two-factor authentication, and it’s been available to Google Apps customers since September. Now it’s rolling out to everyone. It’s a bit confusing and the set-up process will probably intimidate a lot of people, but it’s well worth looking into if you value your account data. You can activate it by hitting the ‘two-step verification’ link on this page. So what exactly does it do?
In short, it makes it so that when you go to login to your Google account, you need to enter both your existing password and a special new second passcode — one that you don’t have to write down or memorize because it’s always changing, so it’s nearly impossible to phish. You generate this second password by firing up a new mobile app available for Android, iPhone, and BlackBerry called ‘Google Authenticator’, or by having Google call or send you a text message to a phone number you entered when you set up the feature. That password will expire in just a few minutes though, so be quick (and yes, you will feel like a secret agent the first few times you use it).
It’s not as stressful as it sounds, because you can elect to only require this second password once per computer (this still keeps phishers from being able to access your account). There are a few more quirks to it — in order to save passwords in applications like iCal, Mail, and most other desktop apps, you’ll have to generate a unique app-specific password. But again, you can save this so you only have to do it once per app.
There are also a few backup measures in place should you lose access to your mobile phone. You can designate a second, backup phone number to send the passcode to, and you’re also strongly encouraged to print out a set of ‘one-time’ passwords to keep in a safe place. This is only for the secondary password — you’ll still have to keep that ‘normal’ Google password memorized.
I’ve been using a beta version of the system for the last few weeks, and for the most part I’ve been very pleased with it. The setup process, though it’s improved since I first used it, is still pretty involved. You don’t really have to do much thinking and the setup wizard only takes a few minutes to complete, but this whole second-password thing feels foreign after a decade (or more) using the old system. This is probably why Google isn’t heavily promoting the feature to consumers yet — you’ll have to go looking for it in your accounts dashboard.
To be clear, two-factor authentication isn’t a new idea. It’s been used by large businesses for years. But giving consumers access to this same protection is a big win, and I’m hoping other services will follow suit in the near future.