Security Experts:

Google Lets Admins Force Two-Factor Authentication, Enhances Active Directory Support

Back in February 2011, Google launched support for two-factor authentication, a login method that requires two independent elements in order to successfully access an account. The first element being a password, and the second element typically being something you “have” with you or have access to, such as an authentication code from a token or mobile phone. (RSA made two-factor authentication famous with its tokens that eventually became the subject of the major cyber attack in March 2011.)

While Google has supported what it calls “2-step verification” for both individual user accounts and enterprise Google Apps customers for some time, business had no way to force the use of the additional security measure for all users.

But starting this week, Google Apps administrators can require users in their domain to use 2-step verification. This new feature, Google says, will help its Google Apps customers accelerate deployment of the additional security measure.

In addition to allowing admins to force the use of two-factor authentication across an entire user base, Google released another feature that enhances integration with Microsoft Active Directory.

“For businesses that use Microsoft Active Directory (AD), we’ve added new capabilities to synchronize and manage passwords,” Rishi Dhand, Product Manager, Google Apps, noted in a blog post. “Businesses can manage password policies (e.g. password strength, reset intervals, etc.) using AD and then synchronize from AD to Google Apps when passwords are changed. Passwords are transmitted hashed and encrypted during synchronization.”

Information on how to configure the new 2-step verification policy in the Google Apps can be found here. center The Google Apps Password Sync for Active Directory (GAPS), can be downloaded here, and information on how to configure it can be found here.

These are the latest enhancements from Google to help increase security for its users. Earlier this month, Google said that it would start notifying users if it believed they are the target of a state-sponsored attack. Google has already had the alerts available that can notify users of malicious activity, especially attempts by unknown third parties to monitor users via unauthorized access.

Subscribe to the SecurityWeek Email Briefing
view counter