Ever fumble when you’re typing in a verification code sent to your phone or burbled up from Google Authenticator?
Here’s some relief for the fat-fingered: Google’s just made two-step verification (2SV) a lot less aggravating.
As the company announced on Monday, you can now get prompts pushed to your phone that ask whether you’re trying to log in from a given device.
Answering that prompt has just gotten a lot more simple than typing in a 6-number code: just grab your phone (yes, you still have to grab your phone, turn it on, and make sure you’ve got connectivity; this isn’t entirely effortless) and make one simple button stab, choosing Yes or No to allowing sign-in.
The prompt brings up a simple dialog that shows your name, profile image, and the specific city and device you’re trying to log-in from. Underneath, Google gives you two options to approve or deny the sign-in request: “No, deny sign-in” or “Yes, allow sign-in.”
This is the third way Google provides to approve sign-in requests by 2SV, the others being by tapping a Security Key or by entering a verification code sent to a phone.
To enable 2SV via prompts, go to the Sign-in & Security > Signing in to Google > 2-Step Verification section of My Account.
You can keep on using the Google Authenticator app, text message, or a variety of previous methods, but Google notes that you can’t have both the Google Prompt and a Security Key enabled at the same time.
The prompt feature will be rolling out through Wednesday. Android users will need the most recent version of Google Play Services to turn it on.
iOS users will need the Google Search app installed on their phone to use Google prompt.
Google says it will soon update its Help Center with more instructions.
Given that the new 2SV prompt is a part of Play Services, virtually all Android users will soon get this super simple access to multi-factor authentication.
That’s a very good thing.
Multifactor authentication – what’s also known as 2SV or two-factor authentication (2FA) – can help where other forms of authentication, such as passwords, fall down.
As the yearly lists of the top bad passwords show, passwords are often the weakest link in the authentication chain, given that many people don’t use passwords that are complex enough.
Others reuse passwords, setting themselves up for account break-ins when online crooks acquire logins from breaches or third-party sites, such as happened to Fitbit.
Even complex passwords can be susceptible to brute-force attack: we saw that when researchers managed to pry 18,000 Bitcoiners’ passwords out of their wallets, running the attack off a mere $55 worth of Amazon Server.
Besides the 2SV prompt, Google has made other plans to kill passwords by year’s end.
That includes supplanting passwords with a feature called the Trust API that would mix together weaker indicators – including biometrics – into something called a Trust Score.
If all works out as Google hopes, that Trust Score will prove you are who you say you are.
In the meantime, any (secure) changes that make two-factor authentication easier for more people to use are a welcome thing.
Mind you, 2FA/2SV isn’t foolproof. We found out last week that a bit of social engineering and the last four digits of somebody’s taxpayer ID can let crooks trick phone carriers into resetting a phone’s SIM and thereby intercepting the codes sent via SMS to the device.
But while it’s not foolproof, two-factor authentication is still a good, solid step to take to keep intercepted logins from being used to take over your accounts.
And heaven knows that in these days of mega breaches, there are a ghastly number of those pilfered logins out there!
sweetlilycake
Thanks for the heads up! Just enabled it myself! A lot quicker than having to type in a code, will be really useful for situations where you need to re-sign in several times.
Bryan
hrmph. Security and convenience nearly always have an inverse relationship, and–excepting people with disabilities–this idea seems driven more by laziness than anything.
Like everyone I’ve fat fingered a couple verification codes, but it’s only six digits. Protecting oneself in any capacity takes some effort, and I cringe at this idea.
It sounds at first like a sizeable coincidence to prompt a “yes or no” 2FA verification at the same time the target is expecting one, but is it really? We’re in the age of billions of password guesses per second. One unattended PC with a “sign out all other sessions” button–and it’s all over. Or a massive MySpace breach. Or Ashley Madison. Or Amazon. Or VerticalScope. Or Yahoo. Or Adobe…
Also I truly hope the “Trust Score” thing never completely replaces my option for using a password.
Paul Ducklin
Presumably, some details of the transaction will be noted in the message so you can cross-check. (I’ve seen banks with a system like this where the incoming “for approval” message shows the payment amount, the last 4 digits of the target account number, and a random ID that you can match with the one on your screen.)
(You need to do the same sort of check with a 6-digit SMS code anyway before you type it in. Otherwise crooks who are phishing you can persuade you to type in a 6-digit code that you receive but that will authorise a transaction or a login that *they’re* doing at the same time, instead of the one you think you’re doing.)
Bryan
Well that helps ease my mind, thanks.
To be sure, “Tap ‘yes’ if your screen shows a monkey on a bike” or “Login attempt: Chromium / Linux / Delaware” is far more specific and reassuring than merely “vote yes ifyer tryna login”
Good points on the SMS limitations–though you’ve already taught me to verify URLs and eschew (potentially) phisherman links for established bookmarks, so I extend that zealous trepidation to other scenarios. It’s one of several reasons I add 2FA numbers to my contacts list–so codes come from a recognized sender.
Lastlly, apologies to Lisa; my first impression was of a simplification of something that already didn’t save DeRay McKesson
Paul Ducklin
A SIM swap would put the crook in the 2FA driving seat for pure SMS-based authentication (because the new SIM would not be PIN locked), but not for app-based 2FA (because the crook would need your phone and a way to unlock it so the app could work).
Bryan
I know eventually my CDMA phone will be obsoleted (wow, deja vu) by GSM but for now my phone doesn’t use one. As much as I hate to admit it…Verizon FTW!
Bryan
Hah, as luck would have it, less than a month later I’m finally retiring my archaic dinosaur, Droidicus Eximus. My “new” phone is still not new but will require a SIM card. Heading to a local Verizon store and xda-developers…
Rick
Is there anywhere to find out the internal details of how this is working?