Google on Monday announced that it’s simplifying the process of enabling two-factor authentication (2FA) for users with personal and Workspace accounts.
Also called 2-Step Verification (2SV), it aims to add an extra layer of security to users’ accounts to prevent takeover attacks in case the passwords are stolen.
The new change entails adding a second step method, such as an authenticator app or a hardware security key, before turning on 2FA, thus eliminating the need for using the less secure SMS-based authentication.
“This is particularly helpful for organizations using Google Authenticator (or other equivalent time-based one-time password (TOTP) apps),” the company said. “Previously, users had to enable 2SV with a phone number before being able to add Authenticator.”
Users with hardware security keys have two options to add them to their accounts, including by registering a FIDO1 credential on the hardware key or by assigning a passkey (i.e., a FIDO2 credential) to one.
Google notes that Workspace accounts may still be required to enter their passwords alongside their passkey if the admin policy for “Allow users to skip passwords at sign-in by using passkeys” is turned off.
Another significant change is that, users who opt to turn off 2FA from their account settings will now no longer have their enrolled second steps automatically removed.
“When an administrator turns off 2SV for a user from the Admin console or via the Admin SDK, the second factors will be removed as before, to ensure user off-boarding workflows remain unaffected,” Google said.
The development comes as the search giant said over 400 million Google accounts have started using passkeys over the past year for passwordless authentication.
Modern authentication methods and standards like FIDO2 are designed to resist phishing and session hijacking attacks by leveraging cryptographic keys generated by and linked to smartphones and computers in order to verify users as opposed to a password that can be easily stolen via credential harvesting or stealer malware.
A threat actor could, however, circumvent FIDO2 by launching an adversary-in-the-middle (AitM) attack that can take over user sessions in apps that employ single sign-on (SSO) solutions like Microsoft Entra ID, PingFederate, and Yubico, according to recent research from Silverfort.
“A successful MitM attack exposes the entire request and response content of the authentication process,” stated security researcher Dor Segal.
The vulnerability stems from the widespread practice of apps failing to safeguard the session tokens generated upon successful authentication, thereby enabling malicious actors to gain unauthorized access.
Moreover, there is typically no validation of the device requesting the session, allowing any device to utilize the cookie until it expires. This facilitates the acquisition of the cookie through a Man-in-the-Middle (MitM) attack, circumventing the authentication process.
To ensure that the authenticated session is exclusively utilized by the client, the adoption of the token binding method is advised. This approach allows applications and services to securely link their security tokens to the Transport Layer Security (TLS) protocol layer.
While token binding is currently supported only by Microsoft Edge, Google recently introduced Device Bound Session Credentials (DBSC), a new Chrome feature. DBSC is engineered to defend against session cookie theft and hijacking attempts, further bolstering security measures.
Contact us if you have any questions or concerns.