Google is pushing the use of two-factor authentication for people with Google accounts.
Roughly five months after taking two-factor authentication to Google Apps
users, the company is adding a setup wizard and other features to
bring the security approach to more users.
"Most of us are used to entrusting our information to a password, but
we know that some of you are looking for something stronger," blogged
Nishit Shah, product manager for Google Security. "As we announced to
our Google Apps customers a
few months ago
, we've developed an advanced opt-in security feature called 2-step
verification that makes your Google Account significantly more secure by
helping to verify that you're the real owner of your account. Now it's time to
offer the same advanced protection to all of our users."
The two-step authentication process will involve the user's password plus a
code sent to a phone number the user provides. Once it is set up, when users
enter their password they will also be prompted to enter a code provided by
"Over the next few days, you'll see a new link on your Account Settings
page...A user-friendly set-up wizard will guide you through the process,
including setting up a backup phone and creating backup codes in case you lose
access to your primary phone," Shah
. "Once you enable 2-step verification, you'll see an extra
page that prompts you for a code when you sign in to your account.
"After entering your password, Google will call you with the code, send
you an SMS message or give you the choice to generate the code for yourself
using a mobile application on your Android, BlackBerry or iPhone device,"
Shah wrote. "The choice is up to you.
"A hacker would need access to both of these factors to gain access to
your account," Shah wrote. "If you like, you can always choose a 'Remember
verification for this computer for 30 days' option, and you won't need to
re-enter a code for another 30 days. You can also set up one-time
application-specific passwords to sign in to your account from non-browser
based applications that are designed to only ask for a password, and cannot
prompt for the code."