Google is making a big change in security, but more companies must follow

In a wonderful cybersecurity movement that should be replicated by all vendors, Google is slowly moving towards multi-factor authentication (MFA) by default. To confuse matters, Google doesn’t call MFA “MFA;” instead, he calls it “two-step verification (2SV)”.

The best part is that Google also encourages the use of FIDO compatible software built into the phone. It even has an iOS version, so it can be in all Android and Apple phones.

To be clear, this internal key is not designed to authenticate the user, according to Jonathan Skelker, product manager at Google Account Security. Android and iOS phones use biometrics for this (mostly facial recognition with a few fingerprint authentications) – and biometrics, in theory, provide sufficient authentication. FIDO compatible software is designed to authenticate the device for non-telephone access, such as for Gmail or Google Drive.

In short, biometrics authenticates the user and then the internal key authenticates the phone.

The next question that arises is whether other companies beyond Google will be able to take advantage of this app. I guess, given that Google has gone out of its way to include rival Apple, the answer is probably yes.

It all started on May 6, when Google announced the change to default in a blog post, announcing this as a key step in eliminating ineffective password. Note: why Google hasn’t dated the calendar blog is a mystery.

On the one hand, having a phone almost always nearby serves as a hardware key replacement is smart security. It adds a touch of convenience to the process, which users should appreciate. And making its use a default setting is also smart, as user laziness is well known.

Instead of having users dig into settings to enable Google’s MFA flavor, it’s there by default. Leave the few people who don’t like it – from a safety, price, and convenience perspective, there’s really not much not to like – spend their time browsing the settings.

But in a corporate environment, there’s always a big reason to stick to external keys: consistency. First, these foreign keys have already been purchased in volume, so why not use them? In addition, users have many types of phones, and standardization for employees and contractors simply facilitates external keys.

In the interview, Skelker said there is no security advantage for Google’s internal keys over external keys, given that both are FIDO-compliant. Again, this is from today. There is a very high probability that Google will soon – probably in a few years – increase the security of its internal software keys. When and if this happens, the decision of the IOC / CISO will be very different.

As a result, you have a free key which is better than the existing hardware keys. And it will already be in the possession of almost all employees and contractors.

While I applaud Google’s efforts to remove the password, there is an industry-wide problem across all verticals. As long as the overwhelming majority of vendors and businesses need passwords, having a few places that won’t help much. In a perfect world, users would refuse to access environments that still require passwords. Income has a way to grab the attention of leaders.

But, unfortunately, most users don’t care enough about doing this, and many don’t understand the security risks posed by passwords and PINs, especially when used on their own.

Copyright © 2021 IDG Communications, Inc.

About Marion Browning

Check Also

Cross-platform messaging scam makes a comeback on social media ::

By Donna Natosi, WRAL Editor-in-Chief What’s old is new again in a resurgent social media …

Leave a Reply

Your email address will not be published.