Google announced two factor authentication for Google Apps today. It will use SMS/OTP – either sent to a phone or launched from a native smartphone application. It’s sure to set off a round of hyped up enthusiasm among vendors clamoring to introduce cloud-based authentication services (e.g. VMware with its acquisition of Tricipher, CA with its acquisition of Arcot, Symantec with its acquisition of VeriSign).
But before we all get too excited, note that the OTP generated by or sent to the mobile phone is simply entered by the user into the user’s PC browser in order to log into Google Apps. This authentication method has long been beaten by bank trojans like Zeus. (See our research note “Where Strong Authentication fails and what to do about it”). In other words, a man-in-the browser attack will simply sit there in the browser until the user enters the OTP, and will then go do its malicious thing.
So while the new authentication method may placate the masses by requiring more than just a password for log in to cloud applications, it will do little if anything to stop determined fraudsters from taking over user and customer accounts. Sure, security layers are a good thing but don’t get deluded into thinking this method is enough.