Google on Monday announced the addition of new security layer to user logins — a two-step authentication process that requires a combination of a password and a verification code sent to the users’ mobile phones. The new feature will be rolled out first to its paying customers, i.e. Google Apps Premiere, Education, and Government edition customers, with plans to bring it to all Google users in the next few months.
What is two-step authentication?
Most of the login systems on the web uses ‘one-factor’ authentication where you enter one password and you’re in. But if that password gets compromised, you’re screwed. More secure systems require both a password and a physical card or dongle to login. These are called ‘two-factor’ systems, because they require both your password and another key, and are far more secure because a hacker probably isn’t going to have that physical token.
Google’s system uses your mobile phone as the physical keycard. First, you need to activate the two-step authentication feature from your settings page. The next time you sign in to your Google Apps account on a new browser or device, you enter your username and password as usual. You’re then prompted with a second page to enter a verification code. The verification code is a 6 digit code that will be sent your mobile phone, which you’ve previously linked up to your Google Account, via SMS message or voice call.
This makes your Google account more secure as even if your password is cracked, guessed, or otherwise stolen, an attacker can’t sign in without access to your verification codes, which only you can obtain via your own mobile phone.
There is an option where you can check the Remember verification for this computer checkbox and you will be prompted to enter a verification code once every 30 days per browser or after deleting your browser’s cookies.
Google says that in the coming months, Google Apps Standard Edition and hundreds of millions of individual Google users will be able to enjoy this feature as well.
So now, Google needs to know my mobile phone number as well??
You don't need to be so paranoid. The worst that can happen is you receive a few spam SMSes, but I doubt even that would happen. I already have my mobile no linked with my Google account to recover password. I haven't received any unsolicited message till now.
On the other hand, using this 2-step authentication your account becomes difficult to break into. Which is more important, is for you to decide.
By the way, there is a ‘Google Authenticator’ application for Android, the iPhone, and Blackberry that lets you get the security code by SMS without giving out your mobile number to Google. You can use that.