February 10, 2011, 4:21 PM — Google is expanding the use of two-step verification to include all Google accounts. The security measure--implemented for Google Apps customers a few months ago--protects your Google account from being hijacked or compromised.
A Google spokesperson stated, "We're excited to be making 2-step verification, our two-factor authentication account security system for Google Accounts, available to any Google user beginning today," adding that Google is also introducing some additional features to make the security controls more widely available and easier to use.
Authentication is the process of verifying that you are you--the legitimate owner of the account--before allowing access. Authentication relies on something you know--like a password, something you have--like a mobile phone, or something you are--like a fingerprint.
The problem with the standard authentication model is that it relies only on something you know--and that something is often easily guess, cracked, or otherwise compromised. While a username may seem like 'something you are', it is just a word, so it is actually 'something you know'--and a 'something you know' that is generally not protected or kept secret so it is a non-factor. That leaves the password.
As incidents such as the Rockyou.com and Gawker.com data breaches illustrate, the majority of users depend on weak passwords that are trivial for an attacker to discover. Many users also rely on the same username and password to protect all of their various accounts--making that one password a proverbial key to the entire kingdom that is their digital life.
Once an account is compromised, the attacker can modify account details such as the alternate email address, phone number, or other contact information, making it extremely difficult for the legitimate owner to reclaim the account. That is where the Google 2-step verification protection comes in. With the new Google authentication, you need a code that is sent via SMS to your mobile phone in addition to the standard password.