Friday, October 1, 2010

Improving Google's Two-Factor Authentication

Google is rolling out two-factor authentication for Google Apps. See these posts:
Here's the Google authentication flow:

1. User: Enters a valid user name and password (something known by the user).
2. Google: Sends an SMS verification code to the user's mobile phone (something the user has).
3. User: Enters the SMS verification code (something the user has) and logs into the Google App.

In my opinion, the Google flow can be improved. I would remove step #2 because it causes a potential latency issue. The Google-to-user phone link is a third-party application that may be unreliable. Latency presents a serious problem if a user needs to access time-dependent information such as a set of medical records.

The Google authentication flow requires three steps. Each step, in my opinion, should correspond to a single authentication factor. Currently, the "what the user has" factor requires steps #2 and #3.

The solution I suggest is to send the next SMS immediately after the user logs out of the application. Under this scenario, the user actually has the SMS instead of waiting until Google sends it in real time during a login attempt.

As a backup, and in case the user misenters the verification code, the verification code screen should also contain a "Send new verification code" button that displays if the user enters a correct user name and password.