Risk
9/21/2010
06:04 PM
50%
50%

Google Could Drive Mobile Two-Factor Authentication Model

New Google Apps offering could overcome previous barriers to multifactor authentication

Google's announcement this week that it will offer two-factor authentication for Google Apps is an encouraging sign for the state of multifactor authentication in the cloud -- particularly using the mobile form factor, which some believe could overcome some of the challenges that have plagued multifactor deployments in the past.

The search engine giant's new two-factor approach sends a verification code via SMS message or mobile app to augment the traditional username and password sign-in. It's immediately available to premiere Google Apps customers and will be rolled out to standard users in the coming months, said Eran Feigenbaum, director of security for Google Apps, in a statement.

"When enabled by an administrator, it requires two means of identification to sign in to a Google Apps account, something you know: a password, and something you have: a mobile phone. It doesn't require any special tokens or devices," Feigenbaum said. "After entering your password, a verification code is sent to your mobile phone via SMS, voice calls, or generated on an application you can install on your Android, BlackBerry or iPhone device."

Google developed the two-factor authentication on an open standard to enable future integration with other vendors' authentication technology. "We are also open-sourcing our mobile authentication app so that companies can customize it as they see fit," Feigenbaum said.

Julian Lovelock, director of product management for ActivIdentity, says Google's two-factor authentication solution is good news for those who have been championing multifactor authentication. In particular, the mobile form factor it chose is indicative that organizations might be ready to transcend the major issue that has held back the progress of multifactor solutions for some time: the need to physically carry around tokens for each application that employs more than one factor of authentication.

End users tend to carry around mobile devices anyway, so they needn't have a keychain full of tokens to log in anymore. This could be huge for cloud applications, in particular, Lovelock says. "As you use more applications through the cloud, each one of those applications requires you to carry a separate physical device, that becomes a blocker," he says. "Mobile is a very neat way of resolving that because you can carry many different credentials for different cloud-based services on the same physical devices."

While using mobile devices to offer another factor of authentication is hardly new, it could finally be catching on as a result of changed user habits during the past year or so.

"I looked at mobile about two years ago, and at that time I reached the conclusion that it wasn't really viable because SMS texting didn't really have the same penetration in the U.S. as it does today," Lovelock says. "But if you look at it now, it's a very different story. There's a generation coming through that has grown up on texting, so [their] receiving SMS is second nature, and people are downloading apps onto their phones all the time."

However, some security experts wonder if mobile really is the best answer for a service like Google Apps, which requires continual logins throughout the day.

"How many people are going to want to take an SMS message every time they want to log into their e-mail?" says Phil Lieberman, founder of Lieberman Software. "It's impractical for e-mail, which is something you're accessing all day long. And any security that is inconvenient will generally not be used and discarded."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0547
Published: 2015-07-04
The D2CenterstageService.getComments service method in EMC Documentum D2 4.1 and 4.2 before 4.2 P16 and 4.5 before P03 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended read-access restrictions via unspecified vectors.

CVE-2015-0548
Published: 2015-07-04
The D2DownloadService.getDownloadUrls service method in EMC Documentum D2 4.1 and 4.2 before 4.2 P16 and 4.5 before P03 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended read-access restrictions via unspecified vectors.

CVE-2015-0551
Published: 2015-07-04
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop 6.7SP1 before P31, 6.7SP2 before P23, and 6.8 before P01; Documentum Administrator 6.7SP1 before P31, 6.7SP2 before P23, 7.0 before P18, 7.1 before P15, and 7.2 before P01; Documentum Digital Assets Manager 6.5SP6 before P2...

CVE-2015-1966
Published: 2015-07-04
Multiple cross-site scripting (XSS) vulnerabilities in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before FP17, 6.2.1 before FP9, and 6.2.2 before FP15, as used in Security Access Manager for Mobile and other products, allow remote attackers to inject arbitrary web script or HTML via a crafte...

CVE-2015-2964
Published: 2015-07-04
NAMSHI | JOSE 5.0.0 and earlier allows remote attackers to bypass signature verification via crafted tokens in a JSON Web Tokens (JWT) header.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report