Google 2-Factor Authentication just got simpler. On Monday, Google announced updates that streamline the setup process for users with both personal and Workspace accounts. The new process enhances security while making it easier to protect accounts from unauthorized access.
Also called 2-Step Verification (2SV), it adds an extra layer of security to users’ accounts. This prevents takeover attacks in case the passwords are stolen.
The update adds a second step method, such as an authenticator app or a hardware security key, before turning on 2FA. This eliminates the need for less secure SMS-based authentication.
What is Google’s 2-Factor Authentication?
“This is particularly helpful for organizations using Google Authenticator (or other equivalent time-based one-time password (TOTP) apps),” the company said. “Previously, users had to enable 2SV with a phone number before being able to add Authenticator.”
Users with hardware security keys can now register a FIDO1 credential on the key or assign a passkey (like a FIDO2 credential) to one.
Workspace accounts may still require passwords along with passkeys if the admin policy for allowing passwordless sign-ins is disabled.
Benefits of the new Google 2FA setup
Users who turn off 2FA in their settings will no longer have their second steps removed automatically. Admins can still remove these from the Admin console or via Admin SDK to keep off-boarding workflows secure.
Google reports that over 400 million accounts started using passkeys over the past year for passwordless authentication.
Modern authentication standards like FIDO2 are designed to prevent phishing and session hijacking. They rely on cryptographic keys stored in devices rather than passwords that can be stolen.
However, FIDO2 can be bypassed using an adversary-in-the-middle (AitM) attack. These attacks can take over sessions in apps using single sign-on (SSO) solutions like Microsoft Entra ID, PingFederate, and Yubico, according to research from Silverfort.
“A successful MitM attack exposes the entire request and response content of the authentication process,” stated security researcher Dor Segal.
This risk comes from applications failing to protect session tokens after authentication. Attackers can use those tokens to gain access without re-authenticating.
Additionally, session validation is often missing. Any device can use the cookie until it expires, making it easier to hijack sessions.
To fix this, token binding is recommended. It links security tokens to the secure browser connection (TLS), so they work only with that session.
Token binding works in Microsoft Edge. Google recently introduced Device Bound Session Credentials (DBSC) in Chrome. DBSC is built to prevent cookie theft and session hijacking, adding another layer of protection.
Contact us if you have any questions or concerns.
Need help securing your organization? Contact Aura Advanced Technologies for expert cybersecurity solutions.