Monday, July 20, 2009

Google's two-factor authentication for password reset

A number of recent high-profile online account compromises clearly shows the need for strong passwords. As in several cases, it also demonstrated clearly that security settings that depend on secret answers to public questions are insufficient. The most notable of those compromises was probably the Sarah Palin Yahoo account hack

I am not sure when it happened, but Google caught on to this as well and introduced a well-known form of two-factor authentication that can be used for account resets. By telling Google even more about yourself (in this case, registering your SMS-capable cell phone number), they will be able to send a password reset token to your phone.

Using SMS messages as a secondary authentication factor has been used extensively by several European banks and is used to authorize payments made through online banking systems. Every time an online transaction is made, a one-time password in the form of a transaction authorization number (TAN) is sent to the registered cell phone numbers. Payments will only be processed when the web site user is able to produce the correct TAN.

I am glad to see that such relatively simple measures are making it to the mainstream online service providers. While not perfect, security practitioners have been opposed to weak (knowledge-based) authentication schemes for a long time.

Hopefully, this initiative will be picked up by other service providers soon.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.