As part of their continuing efforts to secure cloud apps and attract businesses, consumers, and the government, Google will begin rolling out optional two-factor authentication. This follows security best practices of having more than one type of credential to authenticate users: something you know (PIN, passcode), something you possess (token, certificate, device), or something you are (biometric, recognition).
Available first to their paying customers and educational users, enabled accounts will use the normal password login page (something you know), followed by a prompt to enter a code sent to the user’s mobile device (something you possess) via text/SMS.
Interesting timing, given multiple mentions of this authentication method in the Sept 2010 issue of (In)Secure Magazine , including an article on the evolution of authentication by Steve Dispensa, CTO & co-Founder of PhoneFactor.
I will be very interested to see how this is impacts automated authentication for mobile devices, such as Google Calendar and Gmail. I would think that it would need to install a certificate on the mobile device as users will not want to reenter a code from a text every time that their phone tries to connect to Google.