In this day and age when concepts like hacking, phishing, and identity theft have become commonplace because of their prevalence, it’s no wonder companies in the tech sector are heavily investing in security technologies in order to keep themselves, and their clients, one step ahead of the game. Google, being one of the biggest web companies, with hundreds of millions of user accounts, is one of them, and has developed a really ingenious authentication system that can be used not just to protect their own user accounts, but also many existing third-party platforms.
The use of passwords, or passphrases, to make sure a user is really who he says he is, has been the cornerstone of user authentication since the advent of computing. The premise is simple: since the password is secret, only the real user should know it, right? However, the weakness of such a system is that an unchanging password can be guessed, either “by hand”, or programatically through what is called a brute force attack. It can also be stolen by intercepting a user’s communications, such as his requests to log into his account. The solution? An “ever-changing” password.
OTP – One Time Password
Being realistic, changing your password each time you use it to login wouldn’t be practical. Not only would you waste a lot of time each time we go into our account, but tracking what the password is at any given time would be a logistical nightmare. But, what if your user account did all of this for us automatically? That is the premise of OTP algorithms: each time you login, you use a different password, automatically generated by an application on your computer or smartphone. It is precisely this technology that Google has implemented to secure even further their user accounts; they call it two-factor authentication. To show the system you really are who you say you are, you supply two proofs of identity: something only you know (your “static” password, as you have always done until now), and something only you own (your computer or smartphone which generates the one-time code, i.e. your “ever-changing” password). In this case the One Time Password doesn’t substitute your static password, but actually adds another layer of security on top of it. That way, even if either your static password or your authenticating device (your PC or smartphone) gets stolen, the perpetrator cannot log into your account without the other one.
Securing your Accounts
Google Authenticator is based on open standards, and there are not only existing implementations for popular web systems and frameworks, but also open source libraries for integrating this technology into any user system imaginable. There are Google Authenticator solutions available for WordPress, Joomla, Prestashop, Magento, as well as the native implementation for Google and GApps accounts. As for authenticating devices, there are free apps for Android, iPhone, and Blackberry devices, Windows, Mac OS, and Linux PCs, and there are even specialized standalone gadgets you can purchase. If you are reading this, chances are you already own a device you can use for authentication; if that’s the case, don’t you have an account worth protecting?
Disclosure: I’m the developer of the Prestashop and module mentioned above, so you might say I have some vested interest in the success of the Google Authenticator technology; however the reason I developed this solution in the first place is because I think the technology really provides value by dramatically increasing the security of user accounts in a relatively simple yet elegant way. Isn’t that what development is all about?