Following the outbreak of Heartbleed, Internet users are more wary than ever of potential exploits and hacks, which makes the timing of Google’s latest security initiative pretty much perfect. Google has begun its implementation of an automatic two-step authentication process for users of Google Apps services, requiring anyone attempting to access an account to input both the password and a unique code sent to a mobile device. Google has had dual-factor authentication for some time, but the new Login Challenge will provide an extra layer of safety.
According to the Login Challenge page on Google’s support site, if the web giant detects a hacker attempting to access an account, the hacker will be presented with a challenge asking them to verify their identity.
“When a suspicious login is detected, we send a challenge to the user such as an SMS with a verification code to the user’s phone and ask them to enter this code before we grant access to their account. This drastically reduces the chances of an unauthorized user accessing the account because the attacker would have to get a hold of the user’s phone as well as the username and password.”
Google does not specify how it will detect suspicious logins, but one can assume that multiple incorrect password attempts will be a primary method. If for any reason the account owner cannot access his or her account and doesn’t have access to a phone for SMS messages, the Login Challenge can be disabled through the Google Admin console.
The feature should roll out for all domains in the coming weeks.