Tech News : Google Users To Be Auto-Enrolled In Two-step Verification

In a recent blog post, Google has announced that the automatic enrolment of Google account users in Two Step Verification ‘2SV’ is coming soon.

Passwords – Single Biggest Threat To Online Security

In the blog post on ‘On World Password Day’ (May 6), Google’s Director of Product Management, Identity and User Security, Mark Risher, shared some of the measures that Google would be taking to improve the online security of Google account users by reducing the risks posed by the password-based login.

Mr Risher shared Google’s belief that “passwords are the single biggest threat to your online security” due them being easy to steal and hard to remember.  He also pointed out how, instead of making and trying to remember more complicated passwords, 66 per cent of Americans have admitted to using the risky practice of ‘password sharing’ (i.e. using the same password across multiple websites and platforms).  This means that if one of those websites is compromised and the password stolen, all the other accounts (sites) are then vulnerable.

Mr Risher also noted that, in 2020, searches for “how strong is my password” increased by 300 percent, thereby indicating a growing demand for better and safer login and verification methods.

Two-step verification (2SV) 

The best way to protect an account from a breach or bad password, according to Mr Risher’s Google blog post, is to have a second form of verification in place, thereby enabling confirmation that it is really the account holder who is logging in. 

Although Google has been offering two-step verification (2SV) for years, according to the blog post, the plan now appears to be to “start automatically enrolling users in 2SV if their accounts are appropriately configured”.

Google has also built its security keys into Android devices, and launched the Google Smart Lock app for iOS, to enable people to use their phones as their secondary form of authentication. 

Password Manager

Password Managers are a practical and secure way to store and get access to different passwords for different programs and platforms when needed. Google has its own Password Manager built into Chrome and Android and iOS, uses the latest security technology to protect your passwords across multiple sites and apps.

Google’s Password Manager is also integrated into its single-click Google Security Checkup to tell users if any of their passwords have been compromised, show if passwords are being used across different sites, and indicate if passwords are strong enough.

What Does This Mean For Your Business?

Although Google will be automatically enrolling users in 2SV to improve security, a passwordless future and biometrics are likely to be the way that tech companies go to offer greater security going forward. 

For example, Microsoft’s Corporate Vice President and Chief Information Officer Bret Arsenault has signalled the corporation’s move away from passwords on their own as a means of authentication towards (biometrics) and a “passwordless future”.  Also, in August last year, Google announced that users could verify their identity by using their fingerprint or screen lock instead of a password when visiting certain Google services (e.g. Pixel devices and all Android 7+ devices).  This was because of Google’s collaboration with many other organisations in the FIDO Alliance and the W3C that led to the development of the FIDO2 standards, W3C WebAuthn and FIDO CTAP that allows fingerprint verification.

Unlike the native fingerprint APIs on Android, FIDO2 biometric capabilities are available on the Web which means that the same credentials be used by both native apps and web services. The result is that users only need to register their fingerprint with a service once and the fingerprint will then work for both the native application and the web service. Also, the FIDO2 design is extra-secure because it means that a user’s fingerprint is never sent to Google’s servers but is securely stored on the user’s device.  Only a cryptographic proof that a user’s finger was scanned is actually sent to Google’s servers.

It is clear, therefore, that although password authentication/verification systems such as 2SV can provide just about enough security, for now, biometrics appears to the way forward and the way to stay ahead of cybercriminals using ever-more sophisticated ways to crack or steal passwords.