Skip to content

Email Providers Move Toward Two-Factor Authentication

08/05/2011 -

Google announced last week that a popularnew security feature would now be offered to users worldwide. The feature, called two-factor authentication (2FA), originally launched in February, but is now available in 40 languages in 150 countries. 2FA combines a person’s password information with a one-time code that can be sent to their mobile phone. Two-factor authentication cuts the risk of compromise significantly, Google said in a press release. Google, Facebook, and Hotmail all made the optional feature available this year.

2FA has in the past typically been used to securely login to devices or workstations that contain the most sensitive information. Many Department of Defense computers require the user insert a smartcard in addition to their username and password, for example. Many hospitals use similar controls for access to patient information. Now that security is available to the average email user. The feature essentially turns a mobile phone into an authentication token similar to those produced byRSA and others used byPaypal.

“The idea is to protect against your user details being stolen over an insecure network or a computer that may be running malware that tries to capture precisely those details. And even if the malware captures the one-time code, once you've logged out, the code becomes invalid. So if they try to log in with your stolen details, they'll be faced with a demand for a code – which will be sent to your phone,” Guardian tech writer Charles Arthurwrote.

On Facebook, when the feature (calledLogin Approvals) is turned on, it requires a person to enter a unique code that is sent to their mobile phone each time they log on from a new computer. Additionally, each time there’s a login from a new device, the user will be notified on their next login.

Arthur provides a detailed guide on how to turn on 2FA on Google, Hotmail, and Facebook. Yahoo does not yet have the feature, so Arthur suggests not using it unless you “trust everything about the network and computer you’re using.” He says if you have to check Yahoo emails from an untrusted computer, you should set up a Hotmail or Gmail account that pulls emails from the account. He also suggests making sure passwords are secure.

You can test how secure your own passwords are withthis tool from Small Hadron Collider, a Web design company based in Europe. The tool calculates how long it would take a password cracking program to guess your password.

And if you’re looking to encrypt email messages, take a look at thisreview of Send 2.0 by John Wagley from this month’s issue of Security Management.

photo byrobertnelson from flickr