Today, Google announced two-factor authentication for all Google accounts. Previously, two-factor authentication was only available to Google Apps customers. With two-factor authentication, users need both a username/password and a phone to sign-in to their Google account. If you enable this feature, you will be prompted for your username/password like normal. Then you will be prompted for a verification code, which Google will send to your phone. The extra requirement adds an extra layer of security in the event someone steals or guesses your password. Without your phone, your password is useless to a hacker. I like the idea behind 2-factor authentication, but it also means extra work to set-up and log-in.
Non-browser based applications can’t prompt you for a verification code. As a result, you can’t use verification codes for applications like Gmail and Google Calendar on smartphones, Outlook, Thunderbird, and ActiveSync for Windows Mobile and iPhone. Instead of a verification code, you have to enter an application-specific password for each of these applications. Yeah, what a pain. Luckily, you should only have to enter an application-specific password once per application or device.
BTW, you don’t need a smartphone to use Google’s two-factor authentication. You could also use a landline phone. If you don’t want to give Google your phone number, you can also use the Google Authenticator app on any Android device, BlackBerry device, iPhone, iPod Touch, or iPad. If you don’t want to enter a verification code each time you log in, you can select the “Remember verification for this computer for 30 days” option. I like this feature, but it kinda defeats the purpose of two-factor authentication.
As I said before, the extra security means more work. If two-factor authentication is available for online banking, I would definitely enable this feature. For Gmail and my other Google accounts, I will have to think about it. I want the extra layer of security, but I don’t really want to do extra work to log in.