Google’s two-step authentication goes global

John Ribeiro
1 August, 2011
View more articles fromthe author

Google said late last week that it has rolled out its two-step authentication sign-in system to 40 languages across over 150 countries.

The service, which is intended to make it more difficult for hackers to break into Google accounts, has been available since February as an optional service but only in English.

The two-step verification system combines password-based authentication with a verification code. The code is generated by a Google app on the user’s iPhone, Android or BlackBerry smartphone, or sent to the user by short message service (SMS) or automated voice call. The account can be accessed only after this code is entered. The verification code can be made valid for a session or for up to 30 days at a time.

The verification system was offered in September to users of Google Apps, and was introduced in English to Google accounts in February. There was no geographic limitation earlier, but Google now supports more countries for receiving codes via SMS and voice calls, for people who aren’t using the Google Authenticator app on a smartphone, Google said in an email.

The option to receive the codes through SMS and automated voice calls is likely to be useful to users in emerging markets like India where most mobile users do not have smartphones.

After the user sets up a phone to receive verification codes, 10 backup codes are issued. These backup codes can each be used once instead of a verification code to sign in, and could be useful when users don’t have access to their phone, for example, while travelling, Google said. While setting up the preferences, users can also provide an alternative mobile number in case the first phone is not available or lost.

Email, social networking and other online accounts still get compromised today, but two-step verification cuts those risks significantly, said Nishit Shah, product manager for Google security.

Google has been promoting its two-step authentication after Gmail accounts were compromised in June. The company said that passwords of personal Gmail accounts of hundreds of users including senior US government officials, Chinese political activists, officials in several Asian countries, military personnel and journalists were collected in a campaign which seemed to originate from Jinan, China.

One Comment

One person was compelled to have their say. We encourage you to do the same..

  1. CTI says:

    While it’s great that Google and other sites are trying to increase security by adding two-factor authentication, they approach they’ve chosen to use is already obsolete and does not increase security. In fact, any website that sends an authentication code to a person’s phone in clear text as a text message is not secure (including your bank). That’s because cybercriminals use malware called Zeus to both steal you login credentials and intercept the authentication text message that the website attempts to send to your phone. They simply read the text message and enter the authentication code to access your account and commit fraud.
    A better approach is to send some type of knowledge-based challenge to the person’s phone. That way, even if the communication is intercepted or if someone else gains possession of your phone, they won’t be able to authenticate because they don’t know the secret to the knowledge-based authentication challenge. An example of this is shown in this short video, where they send a visual authentication challenge to the person’s mobile phone instead of a text message with the authentication code clearly visible: The person simply taps a few pictures that fit their secret categories to prove it’s really them. It’s much more secure than sending an authentication code in clear text as a text message that anyone could read.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us