The Return of Phone-Based Two-Factor Authentication

Many people believe cloud computing is changing everything about the way we use IT. Nothing could be further from the truth. In fact, some solutions coming to fore in the cloud are tools and services that have been around for some time. Take for instance the new authentication services offered by Google and Microsoft.

In June 2009, Twitter cofounder Biz Stone was shocked to discover sensitive business documents of the microblogging service were compromised. An investigation revealed Twitter’s systems weren’t compromised. Rather, the leak’s source was Google. Hackers successfully had leveraged Google Apps’ automated password reset feature to gain access to a Twitter admins account. Once inside, the hackers were able to find a treasure trove of data, including access rights to Stone’s personal email account.

Clever as the hack was, it was completely preventable with multi-factor authentication, the security technique to require users to enter multiple forms of verification to prove their identity. This is hardly a new idea. Conventional authentication requires nothing more than something you are (a username) and something you know (a password). Multi-factor authentication requires at least one additional form of verification, typically something you have (a token, certificate or biometric).

At the time of the Twitter hack, Google was working on a two-factor authentication system. Today, that system becomes available. Google Apps users now have the option of adding a second-layer of authentication for access to their accounts – a passcode delivered by SMS message to their smartphone.

This system may sound ingenious, and that’s because it is. It provides another layer of access security without imposing the burden of an expensive token or biometric reader. So long as the user has possession of his phone, he can gain access to his account. Likewise, the need for an SMS-delivered passcode makes it exceedingly (not impossible) difficult for a hacker to compromise an account.

But this is hardly a new idea. The concept and systems for delivering multi-factor authentication by cell phones – either as SMS or email – have been around for the better part of the last decade. Previous efforts to implement such systems failed not because of the technology, but the lack of ubiquitous cell phone use and the expense of sending text messages. Now that smartphones are as common as shoes and sunglasses, SMS passcode features are commercially viable. Microsoft introduced a similar feature in Hotmail and Windows Live last May.

Traditionally, the trouble with multi-factor authentication is that it’s expensive to implement and manage. Handing out digital tokens to hundreds – if not thousands – of users costs anywhere between $25 to $40 per seat. Digital and soft certificates are substantially less expensive, but more difficult for average users to leverage. Even foolproof systems such as American Express’s Blue smartcard – designed to provide greater levels of security to eCommerce and guard against identity theft – have proven ineffective in gaining user adoption and expensive in deployment. The Google system overcomes both the cost and difficulty-of-use problems.

Google also is releasing Google Authenticator, a downloadable app for smartphones that generates one-time passwords independent of the online application. The app is essentially a digital certificate generator, something that’s been around for about 15 years.

The Google App implementation of multi-factor authentication shows that old ideas can gain new life in cloud computing, and that we don’t always need to dream new innovations to evolve cloud computing.

For Google partners, the addition of multi-factor authentication to Google Apps could help overcome objections and concerns about security. At the very least, this new service based on an old idea is putting more security in the hands of the user – literally.