In any conversation about how applications and data are moving online, security is one of the first concerns to come up. That’s definitely something Google has had to address as its tries to sell Google Apps, its bundle of work tools like Gmail and Google Docs, to businesses and other organizations. Today, it’s taking big step to reduce the risk.
Product manager Travis McCoy said Google Apps’ main security issue is the same one facing many other websites. It’s only protected by a username and a password, a combination that can be vulnerable, for example if you use the same password across multiple sites or if you’ve written it down somewhere.
To tighten security, Google is adopting an approach that’s similar to one used by some larger companies — adding an extra password, one that’s randomly generated and changes over time. Traditionally, the password is delivered using an extra device, like a smartcard that employees carry around. The extra device makes these programs more expensive, and can be a pain for employees if they forget where they put it.
Google simplifies the process by delivering the password to a device employees are already carrying around, namely their phone. Users can sign up to receive the passwords via SMS text message or through an application they install on their Android, BlackBerry, or iPhone device. So even if someone manages to steal or guess your password, they won’t be able to get into your account unless they’ve stolen your phone too. And if you’re accessing Google Apps from a computer that you believe is completely safe, you can tell Google to remember your verification, so you only have to enter an extra password once every 30 days.
The new feature goes live today for Premier, Education, and Government Google Apps accounts. Like I said above, it should help win businesses over if they were worried about security risks. (Remember that a hacker leaked some of Twitter’s files last year after getting access to an employee’s Google Apps account, though Twitter said, “This attack had nothing to do with any vulnerability in Google Apps which we continue to use.”)
McCoy said the bigger goal is to move websites towards this new, stronger model of security: “It’s the [old] model itself that’s broken.” So Google will eventually make this feature available to consumer users of apps like Gmail, as well as to businesses with the free Standard Edition of Google Apps. It’s also making the code for the mobile apps available via open source, so that other online services can follow its lead.