Two-Factor Authentication Has One Big Endorsement: Google

Banks are still debating the use of two-factor authentication for account access, even though hackers are getting more cunning and the tech bellwether Google Inc. just endorsed the extra layer of security.

"Banks have a fear of putting extra security measures out there and having customers feel they are being inconvenienced," said George Tubin, a senior research director at TowerGroup.

In an announcement Thursday on The Official Google Blog, the company said it would enable "2-step verification," using text messages, voice messages and smartphone apps to send a one-time-use code to users' mobile phones. This would provide added security to many accounts accessed through Google's login, including its e-commerce payment system.

The Google approach lets those customers most interested in protecting their security do so, which in turn spreads use by word of mouth. Banks could use a similar approach, Tubin said, by offering it to "higher-risk" customers — for example those with a lot of money in accounts, or those who tend to access accounts from non-secure or mobile locations.

Many banks considered using one-time passcodes to promote authentication under a 2005 mandate from the Federal Financial Institutions Examination Council. At that time the codes were commonly generated by a keychain device.

Because of the costs associated with acquiring and distributing the devices, they were adopted primarily for business accounts, wealthy consumer accounts, and for accounts where the consumers were willing to pay a fee for their use.

The growth of mobile phone use — and in particular, consumers' increased willingness to run banking apps on their phones — has made a software approach to one-time passcodes more practical.

"Most of us are used to entrusting our information to a password, but we know that some of you are looking for something stronger," Nishit Shah, product manager at Google Security, wrote on Google's blog.

"Two-step verification works with Google Checkout just as it would with Gmail, Picasa Web Albums, or other services that involve signing in to your Google account," Jay Nancarrow, a Google spokesman, said by e-mail.

The endorsement of a household technology name such as Google may validate two-factor authentication in the minds of bankers, though analysts cautioned that the method isn't foolproof.

Avivah Litan, a vice president and distinguished analyst at Gartner Inc., said Google's system "is definitely an improvement over passwords … and it raises the bar for criminals, but banking Trojans have proven they have no trouble getting around" two-factor authentication.

She added that tokens left as voice messages are even more problematic, as hackers are getting more creative about forwarding phone calls to their own numbers.

Julie Conroy McNelley, senior risk and fraud analyst for Aite Group in Boston, said she thought Google was acting intelligently by offering the enhanced security process on a voluntary basis.

"Doing this as an opt-in shows that Google is targeting the folks who have the security savviness and willingness to go through the extra pain to get extra security — and a substantial extra bit of security at that," McNelley said.

Tubin agreed, saying the opt-in feature would give customers a chance to acclimate to the security procedure, and it would give Google an opportunity to slowly educate its consumers on the importance of such security measures. Tubin said he thinks voluntary adoption by Google users could be as high as 10% to 20% of the total at the outset.

Industry observers said that enabling two-factor authentication could increase use of Google Checkout. Google says several hundred thousand merchants use Google Checkout. By comparison, PayPal Inc. has about 8 million merchants.

"Google has the ability to execute an online payment strategy, but they have not hit on all cylinders yet," McNelley said. With some players like PayPal recently moving to make mobile transactions easier for consumers, rather than more complex by adding more layers of security, McNelley said, Google may be heading the other direction to see how that tactic plays out.

Other analysts said two-factor authentication could help build a consumer and merchant user base online as well. "This will be attractive to users who have been hesitant to transact online," Tubin said.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER