Sunday, 20 November 2011

Two Way Verification

This week’s Livewire in The Age is devoted to matters of Internet security, so I thought I’d drop in a tip of my own and recommend you start using Google’s 2 step verification. That is, assuming you hold an account with Google; is there anyone out there that doesn't?

First things first: what is Google’s 2 step verification?
Normally, we log in to websites’ private facilities using a password. Philosophically speaking, a password represents something you know but no one else does.
What Google’s 2 step verification adds to this process is the enhanced security of not only using something that only you are supposed to know, but also something that only you are supposed to physically have. In Google’s case they use your mobile phone, an item the majority of us carries on our selves all the time.
When logging in to a Google account where 2 step verification has been enabled, you start by entering your account name and password as usual; however, instead of that being it, you are then called upon to enter a secret code. That code is SMSed to your phone, for free, by Google. You can only access your Google account if you enter both your password and the code you picked off your phone.
The process is made slightly smarter for owners of smartphones. Google supplies a free app that does not require Internet connectivity and which churns out secret codes by the minute (valid for only a minute each), codes that you can use to access your Google account instead of the SMS. Google also provides a list of ten backup codes you can print in order to access your account when/if your phone is dead/lost.
Put together, this means your Google account is not compromised even if someone picks on your Google password. I call that a great security measure, and I commend Google for coming up with this scheme and for supporting its implementation at no cost to us users. It reminds me of the Google I used to look up to some ten years ago, before its “do no evil” slogan became a joke.
Note there are some complexities to the process. For example, using the above process to authenticate the Gmail app on your smartphone is not the most practical affair ever. To support these cases, as well as other examples like accessing your Gmail via Outlook, the Google 2 step verification process would help you generate application specific passwords you enter once per each such unique instant. I can see this being more than a bit of a pain to IT averse people like my parents, but I still recommend going through the motions. The added security is well worth the price, particularly when you’re relatively IT illiterate and not fully aware of the traps that are out there for your virtual identity.
You can also hear it straight from the horse's mouth:

Google 2 step verification can be enabled by logging into your Google account, clicking your name at the top right, and then selecting the Account settings option. The 2 step verification option would appear under the security menu; clicking that would allow you to initiate the process as well as provide you with links to various help screens.
Overall, I highly recommend using 2 step verification. The extra awareness gained by the process alone is well worth the admission price.

No comments: