Google is taking steps to simplify the process of using two-factor verification for Google apps for businesses.
There are multiple ways end users can approve sign-in requests via 2FA in Google apps, including tapping a security key or entering a verification code sent to their phone. The internet giant has now added the capability to have employees approve a prompt that simply pops up on their phones
“We know that security is one of your top concerns as a Google Apps admin and that many of you require your employees to turn on 2-Step Verification (2SV) to keep their accounts safe,” Google said via blog. “Your employees can now choose any of these options in the Sign-in & Security > Signing in to Google > 2-Step Verification section of My Account.”
There are a few caveats: Admins can't have Security Keys and the Google prompt enabled at the same time for now, and a data connection is required to use the latter. Android users will need updated Google Play Services to use it, and iOS users will need the Google Search app installed on their phone.
The option will be rolled out to all users over the course of the next few days.
“This is a good step forward, and mirrors what the best enterprise multi-factor authentication (MFA) apps have been doing for some time,” said Chris Webber, security strategist at Centrify, in an email. “Having in-app MFA—which requires only a ‘yes’ or ‘no’ tap—both makes the end user experience simpler, and raises the bar even further for attackers.”
He pointed out that even an SMS-based code sent to a mobile device is many, many times stronger than simply relying on a username and password.
“Without MFA, attackers only need a stolen password, which today is very easy to get,” he said. “With SMS, they need the password, and they need to socially engineer mobile carriers into redirecting text messages from the correct phone to another device.That second piece requires real effort, some skill and a lot more time. With in-app MFA, the app must be installed on a specific device, correlated with the user. This makes the bar even higher for attackers, as the social aspect is removed from the chain.”
He added, “As all of us in the industry know—there is no perfect security. But there definitely is poor, good, and strong security—and it’s good to see we are moving away from poor password-only security, to MFA for all users.”
Photo © Dave Clark Digital Photo