Over the last decade cloud computing vendors have invested heavily in making Software-as-a-Service secure as possible. Daily security audits, SSL-based encryption, and SAS 70 Type-II-certified data centers are now the norm, rather than the exception, and data stored in the cloud is now privileged to receive some of the best security technology can afford.
However, as with any security framework, cloud computing security is only as good as its weakest link, and in many circumstances the weakest link is the password used to access a web-based application. Passwords are often easier to guess than users think, and are all too often scribbled on notepads or Post-it notes for prying eyes to see.
To help combat any human-introduced weakness to the security equation, many security-focused services are deploying a technology called two factor authentication. Rather than using just a password to login to a website, users couple a password with a second authentication mechanism. This second authentication mechanism is typically a physical token that generates a second single-use PIN that is used in conjunction with the main password. A widely-used physical token in the banking industry is a keyfob similar to that pictured above, where a unique single-use PIN is generated and used and alongside the primary password. With two factor authentication even if someone has stolen your password, they’ll need physical access to your secondary authentication mechanism’s PIN in order to access your cloud-based data.
While two-factor authentication has been around for years, this week it has taken a major step forward with Google’s announcement that it will adopt two-factor authentication for millions of Google Apps users. Google’s enhanced authentication system uses SMS- and mobile application-based security tokens as the secondary authentication mechanism, requiring that users couple their password with a secondary PIN received by SMS:
Google’s adoption of two-factor authentication in Google Apps is one of the first deployments of two-factor authentication in a widely used cloud-based application, and may set a new security standard against which other cloud-based providers will be measured.