Google has unveiled a streamlined process for enabling two-factor authentication (2FA), also known as 2-Step Verification (2SV), for users with personal and Workspace accounts. This enhanced security measure aims to fortify accounts against takeover attempts, particularly in the event of password theft.
The updated procedure involves adding a secondary authentication method, such as an authenticator app or a hardware security key, before activating 2FA. This eliminates the reliance on less secure SMS-based authentication.
Google’s announcement emphasizes the convenience for organizations using Google Authenticator or similar time-based one-time password (TOTP) apps. Previously, users were required to enable 2SV with a phone number before integrating Authenticator.
For users with hardware security keys, Google offers two options for account integration: registering a FIDO1 credential on the hardware key or assigning a passkey (FIDO2 credential) to it.
However, Workspace account holders may still need to input passwords alongside their passkeys if the admin policy “Allow users to skip passwords at sign-in by using passkeys” is disabled.
In a notable update, users who opt to disable 2FA from their account settings will no longer have their enrolled second steps automatically revoked. Instead, when an administrator disables 2SV for a user, the second factors will be removed as usual to ensure smooth off-boarding workflows.
Google’s announcement coincides with the revelation that over 400 million Google accounts have adopted passkeys in the past year for passwordless authentication. Passkeys, based on modern standards like FIDO2, enhance security by utilizing cryptographic keys linked to devices, thereby mitigating risks associated with traditional passwords susceptible to theft.
Despite advancements, recent research by Silverfort highlights potential vulnerabilities. Threat actors could exploit an adversary-in-the-middle (AitM) attack to circumvent FIDO2, particularly in applications employing single sign-on (SSO) solutions like Microsoft Entra ID, PingFederate, and Yubico.
Security researcher Dor Segal notes that successful AitM attacks can compromise session tokens, granting unauthorized access to applications. This is facilitated by inadequate validation of session tokens post-authentication, allowing any device to utilize acquired cookies until expiration.
To mitigate such risks, the adoption of token binding is recommended, binding security tokens to the Transport Layer Security (TLS) protocol layer. Although token binding is currently limited to Microsoft Edge, Google’s recent introduction of Device Bound Session Credentials (DBSC) in Chrome aims to bolster protection against session cookie theft and hijacking attacks.
In conclusion, while Google enhances 2FA usability, ongoing efforts to address emerging threats underscore the evolving landscape of cybersecurity and the importance of adopting robust authentication mechanisms.
