Beyond Passwords: Two Factor Authentication Comes to the Cloud

Over the last decade cloud computing vendors have invested heavily in making Software-as-a-Service secure as possible. Daily security audits, SSL-based encryption, and SAS 70 Type-II-certified data centers are now the norm, rather than the exception, and data stored in the cloud is now privileged to receive some of the best security technology can afford.

However, as with any security framework, cloud computing security is only as good as its weakest link, and in many circumstances the weakest link is the password used to access a web-based application. Passwords are often easier to guess than users think, and are all too often scribbled on notepads or Post-it notes for prying eyes to see.

To help combat any human-introduced weakness to the security equation, many security-focused services are deploying a technology called two factor authentication. Rather than using just a password to login to a website, users couple a password with a second authentication mechanism. This second authentication mechanism is typically a physical token that generates a second single-use PIN that is used in conjunction with the main password. A widely-used physical token in the banking industry is a keyfob similar to that pictured above, where a unique single-use PIN is generated and used and alongside the primary password. With two factor authentication even if someone has stolen your password, they’ll need physical access to your secondary authentication mechanism’s PIN in order to access your cloud-based data.

While two-factor authentication has been around for years, this week it has taken a major step forward with Google’s announcement that it will adopt two-factor authentication for millions of Google Apps users.¬†Google’s enhanced authentication system uses SMS- and mobile application-based security tokens as the secondary authentication mechanism, requiring that users couple their password with a secondary PIN received by SMS:

Google’s adoption of two-factor authentication in Google Apps is one of the first deployments of two-factor authentication in a widely used cloud-based application, and may set a new security standard against which other cloud-based providers will be measured.

Comments

  1. Looks like full rollout now for Apps Premier, Education, and Government Editions, and Standard Edition users will have a couple more months to wait.

    For lawyers dabbling in G. Apps, this might be the needed push to get them to pay for the Premier edition. That & the uptime guarantee. :)

  2. So those without mobile phones can’t use the application? Or is there a way to receive SMS without a phone? It increases the security against people who aren’t on your machine(s), anyway, which is important. Of course those people can’t read your primary password from the sticky attached to your monitor either (or if you have any sense, stuffed into a drawer in the form of a hint, so a bad guy would have to have access to the premises for a long time to get anywhere.)

  3. @Steve – I agree. I think at $50/user/year Google Apps is a no-brainer – the value-add in the form of the uptime guarantee, support, and now two-factor authentication are all strong reasons to opt for it.

    @John – I believe a cell phone would be required as the various options – SMS, mobile app, etc. – all run on a mobile. However, the iOS application might work on a iPod Touch.

  4. We’ve been using cloud computing in my tax practice for 7-8 years. I really like this idea and will take a serious look at implementing it with my IT manager. Thank you!