Sunday, June 17, 2012

Google Authenticator & Google's 2-Step Verification Process Review

Since I sometimes log onto public PCs to check my Gmail account and I wanted a bit more security because I didn't know what was installed on those PCs (keyloggers, Wi-Fi snooping, etc.), I configured my Google account to use the 2-step verification.

For information about 2-step verification process, please refer to Google's YouTube information video about it below.

How this works is when accessing your Google account (like Gmail), after entering your Google password, you are prompted for a specific algorithm generated PIN. This PIN is displayed on a program called Google Authenticator which can be obtained for Blackberries, iOS devices (iPhone, iPod Touch, iPad), and AndroidOS devices or it can be sent to your cellphone via SMS or it can be configured to call your phone where the PIN is given to you via an automated voice system. Since I have multiple phones, I sometimes use the automated phone system to get the 1-time usage PIN on the phone that doesn't have Google Authenticator activated with my Google account (for example: I might have the Google Authenticator program on my personal cellphone whereas I would configure the automated phone system (or SMS) to use my work cellphone. You should be aware that when the Google system calls you, the incoming phone number will be a blocked/private number. If your phone is configured not to accept blocked/private calls, you will have to allow for blocked/private calls if you want to receive the automated phone calls from the Google Authentication system.


I've installed the program on all 3 phone platforms but it will only work on 1 phone at a time because the Google Authenticator program must be configured for the Google account on 1 device only. If you change devices or want to use Google Authenticator on another device, you will have to go into the 2-step verification set-up and select "Remove/Replace" for the device.

What I like about Google Authenticator is that it allows you to get an extra level of security for your Google account where it displays the 2nd password (PIN) on your phone. The Google Authenticator program doesn't require data or WiFi and the code is generated via algorithm so if you don't have WiFi coverage and/or you don't have a data plan, you can still use the Google Authenticator application. In a lot of respects, it is similar to the security card that we use where I worked called a "RSA SecurID card".

What I don't really like about the 2-step process is that some applications don't support it and you will have to generate these application specific passcodes for these applications. Every application specific passcode that you create is another method of gaining access to your Google account so you have to be careful where you enter these codes. The good thing about these codes is that they can be revoked if necessary.

One another thing about the 2-step verification process is that you can generate 1 time usage passcodes. These passcodes are similar to the application specific passcodes except that once you enter them once to access your account, the passcode expires and you can't use it again (even on the same computer/browser or with the same application).

What makes Google's 2-step verification system and Google Authenticator great is that even if someone manages to guess/hack your Google password, without your cellphone (or the associated Google Authenticator program), they won't be able to get into your Google account.

If you have any questions/comments regarding this blog entry, please don't hesitate to leave a comment in the comments section below. Please note that comments are moderated and comments that contain a URL link will be flagged as being spam and will not be posted.

No comments:

Post a Comment