Google Gets Serious About Two-Factor Authentication. Good!

Turn on two-factor authentication is solid advice, and WIRED has repeated it for years. Doing so ensures that your password isn’t the only line of defense against unauthorized access to your accounts. The only problem? The onus was always on you to figure out how to make it happen. Now, Google is taking its first steps toward enabling two-factor by default for all its usersand where Google goes in web security, the rest of the industry often follows.

The company said in a blog post this week that it will begin asking users who already have enabled two-step verification to authenticate by tapping a prompt on their smartphones whenever they sign into their Google or Gmail account. (Gmail has about 1.8 billion users; people can also create Google accounts using email addresses from other services.) Once Google assesses data on how easy it is for existing two-factor users to interact with these mobile prompts, the company will start automatically opting users into two-step verification.

Were starting with the users for whom itll be the least disruptive change and plan to expand from there based on results, Mark Risher, Google’s director of product management for identity and user security, told WIRED. Its true that multifactor authentication has historically been considered tedious and challenging to set up, but for many users that is no longer the case.

Multifactor authentication adds one or more additional checks to a login process beyond just a username and password. Your second factor could be an ephemeral, randomly generated code from an authentication app, the presence of a physical authentication key like a Yubikey, or even a digital token built into your smartphone. And adding at least one of these extra layers makes it much harder for phishers, scammers, or other malicious hackers to penetrate your digital accounts.

While multifactor authentication seems like an obviously beneficial security feature, companies have been reluctant to mandate its use for everyone. Requiring two-factor might dissuade consumers from trying their services, ultimately hurting their business. Users also might not have the equipment or know-how to navigate multifactor authentication, thus excluding them from services they might otherwise want to use.

Ultimately, we want all of our users to have the best security protections in placeby defaultacross their devices and accounts, Risher says. At the same time,we recognize that todays two-step verification options arent suitable for every user, so we are actively working on technologies that provide a secure, equitable authentication experience and eliminate the reliance on passwords.

Google users will still be able to opt out of two-factor authentication if they change their mind. The goal, though, is to push both users and the wider tech industry toward two-factor as a baseline standard.

Google has been a leader on other major web security transitions, from promoting autoupdates and sandboxing with Chrome to pushing for ubiquitous HTTPS web traffic encryption. It’s not the only heavy hitter to start habituating its users to multifactor authentication, though. Apple hasn’t fully mandated two-factor for its Apple IDs, but in recent years the company has aggressively promoted the feature and made it more and more difficult to opt out.

Its great to see Google advancing the industry by nudging users to enable multifactor authentication, in this case with our smartphones, says Kenn White, a security engineer and founder of the Open Crypto Audit Project. If we can make it easy to move beyond simple credentials thats a win for account security and everyone. And we are gradually starting to see large organizations like banks and healthcare adopt urgently needed protections like mandatory two-factor.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *