The new option consists of a pop-up that displays a mobile user’s name and profile image, and that specifies the location and device involved in the attempted sign-in. The device owner is asked whether to allow or deny the sign-in.
Enterprise end users still have other choices for two-step authentication. They can use a Google Security Key or enter a verification code sent to their phone.
Implementing Google Prompt
“Implemented correctly, two-step authentication is an improvement over traditional password-based authentication,” said Travis Smith, senior security research engineer at Tripwire.
“Moving to the Google Prompt mechanism is a step to make two-step authentication easier to implement for end users,” he told TechNewsWorld. “Instead of having to copy a six-digit code from one device or app to another, they can hit a single button when prompted.”
Google will update its Help Center with detailed instructions on how to implement its latest two-step authentication feature.
Google Prompt is available for both Android and iOS. Android users have to update Google Play Services to use Google Prompt, while iOS users have to install Google Search on their devices first.
“Typically with features like this, IT gets lots of notice that it’s coming,” observed Rob Enderle, principal analyst at the Enderle Group.
“That doesn’t seem to be the case here. Google appears to have done this with little or no notification,” he told TechNewsWorld.
Springing new features can be annoying for IT departments, because it results in “a bit of an unplanned fire drill,” Enderle said.
However, Google Prompt does give users a choice and should be easier to use, which could result in fewer complaints.
It’s not without risk, though. A hacker could get the notice and push it to something that already has been compromised, Enderle suggested.
“I’m not sure this is inherently more secure than Google Security Keys, given phones can be hacked,” he said.
2-Step Weaknesses
In one example of a phishing attack against a two-step verification system, an attacker could trigger the delivery of a code from a service provider to a user, and lure the user into forwarding the code to the attacker, researchers at the New York University Polytechnic School of Engineering have demonstrated.
The attacker would attempt to log into the victim’s account and then claim to have forgotten the password. That would trigger a verification code text. The hacker then would send the victim a second SMS, asking the user to forward the verification code to confirm the phone was linked to the online account under attack.
In the demonstration, most targets weren’t aware that the two SMS messages came from different sources.
“We attribute the success of the attack to the lack of an effective and usable means for the user to verify the service provider, the lack of context for the message sent, and an assumption about users’ understanding of the authenticating process,” the NYU researchers wrote.
“It’s critical to enable a password on the lockscreen of mobile devices,” said Tripwire’s Smith.
“Not only will this reduce the chances of a nefarious actor accessing sensitive data, but it will also prevent the actor from gaining access to the two-step authentication prompts to add rogue devices to your account,” he explained.
The Big Picture
“The issue for Google is that Android has been historically insecure,” Enderle pointed out.
“For any security solution to work, you have to believe the platform can be made secure,” Enderle continued. “Because Android still has a lot of side loading, any security solution on that platform can be compromised by malware more easily than most other platforms.”
Google Prompt “does move the ball,” said Enderle, “just not as much as it would if people believed Google took security seriously.”