Google on Monday introduced that it is simplifying the method of enabling two-factor authentication (2FA) for customers with private and Workspace accounts.
Additionally known as, 2-Step Verification (2SV), it goals so as to add an additional layer of safety to customers’ accounts to stop takeover assaults in case the passwords are stolen.
The brand new change entails including a second step methodology, corresponding to an authenticator app or a {hardware} safety key, earlier than turning on 2FA, thus eliminating the necessity for utilizing the much less safe SMS-based authentication.
“That is notably useful for organizations utilizing Google Authenticator (or different equal time-based one-time password (TOTP) apps),” the corporate stated. “Beforehand, customers needed to allow 2SV with a telephone quantity earlier than having the ability to add Authenticator.”
Customers with {hardware} safety keys have two choices so as to add them to their accounts, together with by registering a FIDO1 credential on the {hardware} key or by assigning a passkey (i.e., a FIDO2 credential) to 1.
Google notes that Workspace accounts should be required to enter their passwords alongside their passkey if the admin coverage for “Enable customers to skip passwords at sign-in through the use of passkeys” is turned off.
In one other noteworthy replace, customers who choose to show off 2FA from their account settings will now not have their enrolled second steps robotically eliminated.
“When an administrator turns off 2SV for a person from the Admin console or through the Admin SDK, the second components will probably be eliminated as earlier than, to make sure person off-boarding workflows stay unaffected,” Google stated.
The event comes because the search big stated over 400 million Google accounts have began utilizing passkeys over the previous 12 months for passwordless authentication.
Trendy authentication strategies and requirements like FIDO2 are designed to resist phishing and session hijacking assaults by leveraging cryptographic keys generated by and linked to smartphones and computer systems with a view to confirm customers versus a password that may be simply stolen through credential harvesting or stealer malware.
Nevertheless, new analysis from Silverfort has discovered {that a} risk actor might get round FIDO2 by staging an adversary-in-the-middle (AitM) assault that may hijack person periods in purposes that use single sign-on (SSO) options like Microsoft Entra ID, PingFederate, and Yubico.
“A profitable MitM assault exposes the whole request and response content material of the authentication course of,” safety researcher Dor Segal statedstated.
“When it ends, the adversary can purchase the generated state cookie and hijack the session from the sufferer. Put merely, there isn’t a validation by the appliance after the authentication ends.”
The assault is made potential owing to the truth that most purposes don’t defend the session tokens created after authentication is profitable, thus allowing a nasty actor to realize unauthorized entry.
What’s extra, there isn’t a validation carried out on the gadget that requested the session, which means any gadget can use the cookie till it expires. This makes it potential to bypass the authentication step by buying the cookie by way of an AitM assault.
To make sure that the authenticated session is used solely by the consumer, it is suggested to undertake a way often called token binding, which permits purposes and companies to cryptographically bind their safety tokens to the Transport Layer Safety (TLS) protocol layer.
Whereas the token binding is proscribed to Microsoft Edge, Google final month introduced a brand new characteristic in Chrome known as Gadget Certain Session Credentials (DBSC) to assist defend customers towards session cookie theft and hijacking assaults.
