Google are planning to roll out a major change to its login procedure for users of Google Apps to enhance security.
Google Apps is Google’s enterprise play for mail, calendar, document editing and collaboration, and more. It was initially rolled out for small and medium businesses to quickly and cheaply set up for their business needs, without requiring even a domain name or money to get started with. It allows administrators to roll out the Google Mail, Calendar, Docs and more features to their employees. Back in July, Google announced Google Apps for Government, a special edition of Google Apps designed for US Government entities. The critical feature here is that it came with Federal Information Security Management Act (FISMA) certification from the US Government, which cleared it for use by these departments. At that time, it was the first suite of cloud applications to receive such a certification.
The new login procedure that will be made available initially on premium versions of Google Apps. It modifies the traditional username and password approach to include a second step, which requires that a mobile device generates or is sent a unique passcode for that signon, which is then used to complete login. By adding this step, a malicious attacker must have not only the username and password of the victim, but also their authenticated mobile device. The procedure will be optional initially for Google Apps administrators to enable, and will use either SMS messaging or an Android or iPhone app to deliver or generate the so-called One Time Passcode (OTP). Users of online banking services, especially those of Santander, will be familiar with the concept of an OTP, which is already used to authorise changes to bank accounts online.
With this extra level of security, it is clear that Google are taking security and the vulnerability that is someone’s password seriously. It is also clear that this is what is demanded from businesses and government organisations alike when working with data in the cloud.
For more on the One Time Passcode system, check out the post on the Google Enterprise blog.
Comments