Google slides text message 2FA a little closer to the door
A Prompt response to insecurity
Text messages aren't a great way to implement two-factor authentication, but it's a technique that's stubbornly persistent. Now Google has decided to push things along by pushing its alternative into production.
The Chocolate Factory's alternative is called "Google Prompt". Instead of sending users a one-time code in a text message, it asks users if they are trying to sign in. If they are, in they go. If they're not expecting the login prompt, down come the shutters.
Prompt first landed as a trial back in July, replacing 2FA with an app. As the company explained here, TXT-based 2FA is susceptible to phishing, so a prompt improves security.
Infosec bods have long warned that 2FA-by-text was insecure. Last year, NIST said it should be deprecated, and the problems were made manifest in May when attackers started exploiting Signalling System 7 (SS7) vulnerabilities to steal 2FA-protected logins.
Last month, Positive Technologies named gmail as one service still vulnerable to compromise via SS7.
Mountain View is following one of the NIST's preferred paths, an app for 2FA.
For now, text-based 2FA will remain, as one of the second choices alongside Authenticator, backup codes, or Google's Security Keys.
As the blog post noted, “This will only impact users who have not yet set up 2SV. Current 2SV users' settings will be unaffected. In addition, if a user attempts to set up 2SV but doesn’t have a compatible mobile device, he or she will be prompted to use SMS as their authentication method instead.”
One reason for retaining text 2FA is that the Prompts app needs a data connection to work.
The 2FA app supports both Android and iOS phones (Apple users need the Google app to use Prompts). ®