Are you one of the hundreds of millions of people around the world who depend on Google’s suite of services such as Gmail, YouTube or Docs? If so, you probably log in using a simple Gmail address and password and leave it at that. Bad idea. Simple credentials like this are incredibly easy to steal from users, either by guessing them (if the passwords are weak), or using phishing (a bogus website that impersonates the real one) or using keylogging malware (which steals credentials as they are typed).
Luckily, Google offers a simple way to boost security in the form of its 2-Step Verification system. Technically, this is a kind of two-factor authentication system, a way to secure online accounts using something only the user knows (a password) and something only the user has (a one-off code or token). In Google’s implementation, the user logs in using their email address and password as normal, after which they are asked to enter a one-time SMS code sent to their designated smartphone. That means that even if a criminal gets hold of the email address and password, they can’t access the account because they don’t have the SMS code.
Google doesn’t give out figures for the number of users who’ve adopted 2-Step Verification security but it’s almost certainly a single-figure percentage of the total user base. Awareness of this security feature still seems to be low.
As with all two-factor authentication systems, 2-Step Verification design has some potential weaknesses Google has had to overcome. First, what happens if the user can’t receive the SMS code because the mobile service is unavailable? The solution is to generate them on the phone using Google’s Authenticator app, which can be run from iPhones and Blackberrys as well as Android devices even when there is no data connection.
A second issue is the possibility that an attacker could conduct a phishing attack on a PC while simultaneously engineering the user to install a rogue app on their smartphone in order to intercept the SMS code. This is an attack that has been successfully deployed against bank authentication systems using SMS verification and although unlikely it is far from impossible.
Google’s solution is to offer two further even more secure ways to use 2-Step Verification. The first is to specify that the code is sent via an automated phone call or, second, by plugging in a physical USB key based on the FIDO Universal 2 Factor (U2F) protocol. The latter option adds $15 to the cost but is extremely secure. Beating it would require finding a weakness in the FIDO standard or stealing the token itself.
How to protect Google accounts from hackers - setup
It sounds complicated but setting up 2-Step Verification is simple enough although note that accessing all the features mentioned above requires using Google’s Chrome browser. Business users must also persuade company admins to enable it though the Google Apps administrator panel.
Consumers can access 2-Step Verification from Google’s account configuration page and following the simple instructions. This will ask the user to turn on the feature, designate a mobile phone number, a backup number (in case the first is lost), and decide whether to use SMS verification every time they log in or only from untrusted devices (regularly-used PCs and mobiles can be whitelisted). In case the user has no access to authentication options (i.e. a phone, backup phone or token), 10 one-time backup codes can be printed out and stored for emergency use.
Note, some users access Gmail account through a PC or Mac email client such as Outlook or Mail on Mac, in which case these applications will also need to be authenticated (they log in to the account even if users aren’t aware of that). Google’s setup can generate passwords for those apps, which should only need to be entered once.
A final issue to consider is the password used to secure the account. Although this has nothing to do with 2-Step Verification, it is important not to see using authentication as a magic forcefield – the primary account password must also be long and complex. A strong password and 2-Step Verification work hand in hand and one is only as secure as the other.