Blog post

Google two factor authentication a first step – but a lot more need to be taken

By Avivah Litan | September 20, 2010 | 2 Comments

Google announced two factor authentication for Google Apps today. It will use SMS/OTP – either sent to a phone or launched from a native smartphone application.  It’s sure to set off a round of hyped up enthusiasm among vendors clamoring to introduce cloud-based authentication services (e.g. VMware with its acquisition of Tricipher, CA with its acquisition of Arcot, Symantec with its acquisition of VeriSign).

But before we all get too excited, note that the OTP generated by or sent to the mobile phone is simply entered by the user into the user’s PC browser in order to log into Google Apps. This authentication method has long been beaten by bank trojans like Zeus. (See our research note “Where Strong Authentication fails and what to do about it”). In other words, a man-in-the browser attack will simply sit there in the browser until the user enters the OTP, and will then go do its malicious thing.

So while the new authentication method may placate the masses by requiring more than just a password for log in to cloud applications, it will do little if anything to stop determined fraudsters from taking over user and customer accounts.  Sure, security layers are a good thing but don’t get deluded into thinking this method is enough.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Saqib Ali says:

    Ms. Litan,

    I agree with you that Google’s 2-Factor Authentication is not enough, but Google NEVER claimed it to be end-all solution to ALL authentication related security issues. This is true for ANY security control. One single security control can not address all security issues.

    Google is taking the right steps in the right direction, and we should commend them on that.


  • Avivah Litan says:

    I’m about to blog about attacks on SMS/OTP in the banking sector. Google certainly has the resources to address these attacks head on so I don’t get what they didn’t do that at the outset.