A little more inconvenient, a lot more secure.
Google offers individual users the ability to turn on two-factor authentication to increase the level of protection for information stored in Google Apps.
Most security for applications relies on one factor; the user has to know the password specific to that username. Two-factor authentication requires a user to enter a code that is generated by a device they possess, such as a security token or a smartphone.
Banks have been using security tokens, which generate one-time codes, for several years. Recently, the security vendors which make the tokens have extended the concept by writing applications for smartphones to generate codes instead.
Google has developed its Authenticator application for Blackberry, iPhone or Android phone owners.
Two-factor authentication with Google Apps requires users to enter a code from their smartphone once every 30 days as well as their password on their own computers, and every single time you use a public (or untrusted) computer in a hotel or cafe.
Alternatively users can receive an SMS or a phone call from Google with a code if they don’t own a smartphone.
The flipside of tighter security is less convenience. If your smartphone runs out of batteries and you need to access your data on a public computer you’re out of luck. Google tries to get around this situation by giving a user a list of codes to be used in an emergency which will always work.
These codes are obviously a security liability, particularly if you store them in the same spot as your password. It’s unlikely that someone who stole your wallet would know what to do with a list of unlabelled eight-digit strings but the same risk applies if someone steals your smartphone.
Another inconvenience is updating desktop applications that connect with Google services which aren’t compatible with two-step verification. If you use a desktop email client to read your emails from Gmail or Google Apps, you will need to generate a password specifically for that email client.
Other apps that require an application-specific password include apps on smartphones (Android, iPhone or BlackBerry), Chrome Sync, mail clients and chat clients.
This is not such a hassle if you are sitting at your laptop and can log into Google Apps and find the right page (it’s easy to forget where – here’s a link).
It is a hassle if you are out of the office and trying to read Google Apps email on your mobile phone. Without the very long, one-time password you won’t be able to read a single email.
Given the number and variety of security threats, the benefits of two-factor authentication outweigh the inconveniences. It’s worth writing a list of all relevant cloud and on-premise applications that access Google Apps and ensure that you have created application-specific passwords for all of them the moment you turn on two-factor authentication.