Google Makes Implementing 2FA Simpler
Google is making it easier for users to implement two-factor authentication (2FA) for their personal or business Workspace accounts. This is part of the company’s larger push for users to adopt stronger verification methods, whether it’s multi-factor authentication (MFA) or passwordless tools like biometrics or passkeys.
The changes to what Google also calls 2-Step Verification (2SV) that were unveiled this week include the ability to add “second step methods,” such as Google Authenticator or a hardware security key, before turning on 2SV. Previously, users needed to enable 2SV with a phone number before they could add Authenticator.
“This is particularly helpful for organizations using Google Authenticator (or other equivalent time-based one-time password (TOTP) apps),” the company wrote. Those using hardware security keys can either register a FIDO1 credential on the key even if it’s FIDO2-capable or register a FIDO2 credential on the key, which will require users to use the key’s PIN for local verification, creating a passkey on the security key.
If the administrator’s for remains turned off, which is Google’s default configuration, users will continue to be asked for the password and their passkey.
In the past, if a user who was enrolled for 2SV turned off the capability, all the second steps they chose – such as backup codes, Google Authenticator, or a second-factor phone – would be removed automatically. Now if the user turns off 2SV, those second steps are kept in place.
That said, if an administrator turns off the user’s capability from the admin console or through the admin software development kit, the factors are removed. This ensures that when a user leaves the company, the processes for off-boarding them remain in place.
The Need for MFA
Google, Microsoft, and other IT companies are pushing for greater MFA adoption to protect users against phishing, password spray, and other cyberattacks. It’s needed particularly as bad actors continue to target login credentials like usernames and passwords as ways to compromise corporate systems. According to Microsoft, the company deflects more than 1,000 password attacks every second, and more than 99.9% of accounts that are compromised don’t have MFA enabled.
According to Verizon’s 2023 Data Breach Investigations Report, stolen credentials and phishing were used in 65% of all data breaches in 2022.
“Multifactor authentication is one of the most basic defenses against identity attacks today, and despite relentlessly advocating multifactor authentication usage for the past six years, including it in every flavor of Microsoft Azure Active Directory (Azure AD), and innovating in mechanisms from Microsoft Authenticator to FIDO, only 28 percent of users last month had any multifactor authentication session,” Alex Weinert, Microsoft vice president of identity security, wrote early last year. “With such low coverage, attackers increase their attack rate to get what they want.”
The Dream of Passwordless
For tech companies like Google, Microsoft, and Apple, the goal is for passwords to become unnecessary for authentication, and instead to useg biometrics – such as fingerprint or face scanners – or passkeys. The vendors have partnered with groups like the FIDO Alliance and World Wide Web Consortium to develop standards that will eliminate passwords, which are notoriously easy to break and are often reused by people for multiple accounts.
It likely will take time to get to a passwordless future, though there are signs that it’s coming. Privileged access manager (PAM) vendor Delinea found in a survey of attendees at the Black Hat Conference 2023 that 54% of respondents called passwordless a “viable concept” and 79% said that passwords are either evolving or becoming obsolete. It was a small sampling – 100 attendees – but the results echoed what other larger surveys have found.
Two months later, a larger survey of 1,005 IT decision-makers by FIDO and password manager firm LastPass found that 95% already use some kind of password technology at their organization and 92% have a plan in place to adopt such technologies more widely.
Google: Fast Passkey Adoption
Another proof point came earlier this month, when Google said that in less than a year after introducing passkeys for all Google accounts, they’d been used to authenticate people more than 1 billion times on more than 400 million accounts.
“Passkeys are easy to use and phishing resistant, only relying on a fingerprint, face scan or a pin making them 50% faster than passwords,” wrote Heather Adkins, vice president of security engineering at Google. “In fact, on a daily basis passkeys are already used for authentication on Google Accounts more often than legacy forms of 2SV, such as SMS one-time passwords (OTPs) and app-based OTPs (such as Authenticator apps) combined.”
In addition, Google will soon support the use of passkeys for enrolling in its Advanced Protection Program — which is aimed at those at the highest risk of targeted attacks, such as human rights workers and journalists –- and noted the growing number of password manager vendors offering password management APIs for various operating systems, including Android.
Google also noted the growing adoption of passkeys by such companies as Amazon, 1Password, Docusign, and Kayak. Early adopters included eBay, Uber, PayPal, and WhatsApp.
