Recapping Google’s new two-factor authentication

I wanted to post about Google’s new two-factor authentication announcement. Two-factor authentication is something you have (e.g. a phone) and something you know (e.g. a password). It’s a Big Deal because if your account or business has two-factor authentication, those accounts are immediately less likely to be phished, hijacked, or otherwise abused. There’s a neat Google Authenticator application that runs on Android, iPhone, and Blackberry:

For the “something you have,” Google provides lots of ways to authenticate:
- SMS, e.g. for cell phones
- a voice phone call, e.g. for landline phones
- authentication apps, e.g. for smartphones that might be abroad or not have a signal. Android, iPhone, and Blackberry phones are supported.
- one-time/single-use codes that you can print out as a final fallback and put in your wallet, desk or a safety deposit box.

This announcement has a few bonus features. Here are some extra-good things that make me happy:
- Two-factor authentication will be offered on all Gmail accounts “in the next few months,” according to TechCrunch.
- You can authenticate a particular browser using cookies for 30 days per browser. So you don’t get bugged with a login message on a computer you use every day, like your home computer.
- Google open-sourced the Android authentication app and according to that page will open-source the iPhone app soon.
- Drew Hintz mentioned in the TechCrunch comments that the Google Authenticator app uses RFC 4226, so a lot of this work is open stuff that people could take and build on.

Drew also does a great job debunking misconceptions in the TechCrunch comments:
“Random commenter: Google wants my phone number? (insert too-much-data-conspiracy here)”
“Drew: Actually, you can use the app if you prefer not to provide a phone number”

Overall, this is a great launch. I’ve seen the pain that a hijacked account can cause, over and over and over again. Don’t just protect yourself with a password. As soon as you can, add an extra layer of protection with two-factor authentication on your account. Two-factor authentication: it’s not just for World of Warcraft any more.