In response to the many high-profile and enormous data breaches that have occurred in the past few months, Google has decided to roll out a new two-step authentication feature called Google Prompt.
Google Prompt is meant to help enterprise employees keep their accounts and personal information secure. The feature consists of a pop-up display that show’s a user’s name and profile image and specifies the location and device involved in the attempted sign-in. The device owner is then prompted to answer whether he or she should allow of deny the sign-in.
Enterprise end users can also opt into other forms of two-step authentication; they can use a Google Security Key or enter a verification code sent to their phone if they prefer it to using Google Prompt.
According to Travis Smith, Tripwire’s senior security research engineer, “Implemented correctly, two-step authentication is an improvement over traditional password-based authentication.”
“Moving to the Google Prompt mechanism is a step to make two-step authentication easier to implement for end users,” he continued. “Instead of having to copy a six-digit code from one device or app to another, they can hit a single button when prompted.”
Security experts tend to recommend that users use two-step authentication processes, as they make those users less vulnerable to the ever-increasing hacking scams. Even Facebook CEO Mark Zuckerberg lost control of his Twitter account due to not having two-step authentication. However, two-step authentication processes cannot guarantee network security.
Unfortunately, sophisticated hackers can launch phishing schemes that allow for them to trigger the delivery of a code from a service provider to a user. An unsuspecting user will then input his or her code and forward it to the attacker. This was proven by researchers at the New York University Polytechnic School of Engineering.
Ultimately the scheme wasn’t so difficult; the attacker could attempt to log into the victim’s account, then when the attacker inputted the wrong password he or she could claim to have forgotten the account password. That triggers a verification code text, which the hacker could then follow up by sending the victim a second SMS asking the user to forward the verification code to confirm the phone was linked to the online account under attack. When demonstrated, most of the targets didn’t notice that the two text messages came from different phone numbers, a red flag any time password security is being dealt with.
“We attribute the success of the attack to the lack of an effective and usable means for the user to verify the service provider, the lack of context for the message sent, and an assumption about users’ understanding of the authenticating process,” explained the NYU researchers.
Twipwire’s Smith had this to say:
“It’s critical to enable a password on the lockscreen of mobile devices… Not only will this reduce the chances of a nefarious actor accessing sensitive data, but it will also prevent the actor from gaining access to the two-step authentication prompts to add rogue devices to your account.”
Rob Enderle believes that Google might be moving forward with the two-step authentication process not just for the purposes of increased user security but also to cover-up a long term failure to secure the private data of its customers.
“The issue for Google is that Android has been historically insecure,” he stated. “For any security solution to work, you have to believe the platform can be made secure. Because Android still has a lot of side loading, any security solution on that platform can be compromised by malware more easily than most other platforms.”
According to Enderle, Google Prompt may “move the ball,” but “not as much as it would if people believed Google took security seriously.”