Will Two-Step Authentication Provide Better Cloud Security?

September 20, 2010 Off By Hoofer
Grazed from IT Business Edge.  Author:  Sue Marquette Poremba.

As more enterprises consider moving to cloud computing, security in the cloud remains a major concern, particularly the ease in which hackers can gain access to data.


Google Apps intends to boost security of its cloud applications by using a two-step authentication to access information. According to a blog post from Google Enterprise:

Two-step verification is easy to set up, manage and use. When enabled by an administrator, it requires two means of identification to sign in to a Google Apps account, something you know: a password, and something you have: a mobile phone. It doesn’t require any special tokens or devices. After entering your password, a verification code is sent to your mobile phone via SMS, voice calls, or generated on an application you can install on your Android, BlackBerry or iPhone device. This makes it much more likely that you’re the only one accessing your data: even if someone has stolen your password, they’ll need more than that to access your account.

On the surface, this looks like a good solution — or at least a good start toward a good solution.  However, in a Forbes blog post by Andy Greenberg, two-step authentication will likely just slow down hackers rather than provide a true security shield. Greenberg wrote:

Google product manager Travis McCoy concedes that real-time phishing and Trojan attacks can’t be stopped by two factor authentication. “We want to be very clear about what we are and aren’t protecting against,” says McCoy. “We don’t want users to think we’re protecting against all attacks on the Internet.” He reminds users that in addition to Google’s cell phone authentication trick, they should still use a secure browser – he names practically every one but Microsoft Internet Explorer – and run antivirus software.

I personally would like to hear how Google will work with users who prefer not to use a mobile phone or don’t use SMS or smartphone apps.  Or how secure the app will be, particularly if the phone is stolen. Even with these questions and while not perfect, it is a step toward improved security.