Google Inviting 2-Step Verification SMS Users to Google Prompt

Google this week will start inviting 2-Step Verification (2-SV) SMS users to try Google Prompt, its year-old method of approving sign-in requests on smartphones.

Launched in June 2016, Google prompt allows users to approve sign-in requests via 2-SV by simply tapping “Yes” on a prompt. Available for both Android and iOS users, Google prompt received an improvement in February 2017, when Google added real-time security information about the login attempt, such as when and where it was made.

Google Prompt offers 2-SV over an encrypted connection and provides users with additional security features as well, including the option to block unauthorized access to their account.

While 2-SV users can also login by tapping a Security Key or by entering a verification code sent to their phone, in addition to using prompts, Google is now inviting those who receive a SMS on their phones to try Google prompts when they sign in.

“The invitation will give users a way to preview the new Google Prompts sign in flow instead of SMS, and, afterward, choose whether to keep it enabled or opt-out,” the Internet giant explains in a blog post.

In July last year, the National Institute of Standards and Technology (NIST) started deprecating SMS 2-step verification, just months after security researchers published a paper revealing that vulnerabilities in the mechanism expose it to simple bypass attacks.

“Overall, this is being done because SMS text message verifications and one-time codes are more susceptible to phishing attempts by attackers. By relying on account authentication instead of SMS, administrators can be sure that their mobile policies will be enforced on the device and authentication is happening through an encrypted connection,” Google notes.

According to the company, only 2-SV SMS users will receive the notification to test Google prompts, meaning that those using Security Key aren’t affected. The use of Google prompt requires a data connection. On iOS devices, it also requires the Google Search app to be installed. Enterprise edition domains can enforce security keys for more advanced security requirements.

“While users may opt out of using phone prompts when shown the promotion, users will receive follow-up notifications to switch after 6 months,” the company concludes.

Related: NIST Denounces SMS 2FA – What are the Alternatives?

Related: Just Tap “Yes” to Log In: Google Updates 2-Step Verification

Related: Two-Factor Authentication Bypassed in Simple Attacks

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire: