There is a hack that adds in “two factor authentication” but it appears to rely on a Google Gadget which loads after you have already logged into Gmail, which defeats the purpose of the app and is easy to break when logged into the basic version of Google Apps.
As of today, Google Apps Standard, and Gmail in general, does not natively support two factor authentication. However if you are using Google Apps Premier or Education, you are in luck because there is a free plugin in the Google Apps Marketplace which allows true two factor authentication for Google Apps. The name of the plugin is.
These instructions assume you already have a Google Apps Premier account. First sign up for the Google Apps MyOneLogin account as the administrator on the account. You will need to enter several pieces of information including your domain, your username and your password for the Google Apps account.
This information is stored at MyOneLogin so that it can modify your Google Apps settings for you. The major change it makes to your account is setting up Single Sign On (or SSO) so that your logins are handled by an outside provider. Don’t forget to enable VIP Access from VeriSign – this is the free One Time Password generator you will use.
You must then assign the SSO settings, MyOneLogin will do this for you. Look for the warning on the right that says Test mode is OFF. You will then see a screen which enables you to enter into “Production” mode. This sets all users to be sent to the MyOneLogin two factor authentication screen when they try to log into your Apps account.
Once that is set up, all users who attempt to log into the Google Apps account are forwarded to MyOneLogin. On their first login they will enter their Google Apps username and password and then they will be prompted to register their One Time Password Credential ID with their service. This will be used going forward for secure two-factor authentication. You simply click on the “Google Apps” application and it will put you right into your Inbox, securely.
One problem I did come across was that the final login process to your Inbox was broken in my version of Chrome. I think it had something to do with the popup blocker. Make sure to add your MyOneLogin domain to the popup whitelist to fix this problem.
I’ve been testing it for the last few days and it seems to work great besides the Chrome problem. One security issue that you might think of is that you are trusting MyOneLogin with your administrator password for your Apps account. This is a valid concern considering they are not a well known player in this space, but I think the extra security you receive from adding two-factor authentication is well worth the risk and also everything that I have seen seems to point that they are a very security minded company.
All of this brings up the question: why doesn’t Google enable a direct way to use two factor authentication with their Gmail, Calendar and other services? Many folks such as myself use Google services for all too many things in their lives, and that login is potentially the most important one of their online life. I would suggest that Google gets onto the security boat and enables this as an option for everyday folks.
Let us know how this works out for you if you use VeriSign VIP or any other two-factor authentication for Google Apps. This was the only solution I came across and I am very curious how others are using this in the real world to secure their data online or if there are other free alternatives.
Photo courtesy darwinbell.