Google on Monday introduced that it is simplifying the method of enabling two-factor authentication (2FA) for customers with private and Workspace accounts.
Additionally referred to as 2-Step Verification (2SV), it goals so as to add an additional layer of safety to customers’ accounts to stop takeover assaults in case the passwords are stolen.
The brand new change entails including a second step technique, resembling an authenticator app or a {hardware} safety key, earlier than turning on 2FA, thus eliminating the necessity for utilizing the much less safe SMS-based authentication.
“This is particularly helpful for organizations using Google Authenticator (or other equivalent time-based one-time password (TOTP) apps),” the corporate mentioned. “Previously, users had to enable 2SV with a phone number before being able to add Authenticator.”
Customers with {hardware} safety keys have two choices so as to add them to their accounts, together with by registering a FIDO1 credential on the {hardware} key or by assigning a passkey (i.e., a FIDO2 credential) to at least one.
Google notes that Workspace accounts should be required to enter their passwords alongside their passkey if the admin coverage for “Permit customers to skip passwords at sign-in through the use of passkeys” is turned off.
In one other noteworthy replace, customers who decide to show off 2FA from their account settings will now now not have their enrolled second steps routinely eliminated.
“When an administrator turns off 2SV for a user from the Admin console or via the Admin SDK, the second factors will be removed as before, to ensure user off-boarding workflows remain unaffected,” Google mentioned.
The event comes because the search big mentioned over 400 million Google accounts have began utilizing passkeys over the previous 12 months for passwordless authentication.
Trendy authentication strategies and requirements like FIDO2 are designed to resist phishing and session hijacking assaults by leveraging cryptographic keys generated by and linked to smartphones and computer systems with a view to confirm customers versus a password that may be simply stolen through credential harvesting or stealer malware.
Nonetheless, new analysis from Silverfort has discovered {that a} risk actor might get round FIDO2 by staging an adversary-in-the-middle (AitM) assault that may hijack person classes in functions that use single sign-on (SSO) options like Microsoft Entra ID, PingFederate, and Yubico.
“A successful MitM attack exposes the entire request and response content of the authentication process,” safety researcher Dor Segal mentioned.
“When it ends, the adversary can acquire the generated state cookie and hijack the session from the victim. Put simply, there is no validation by the application after the authentication ends.”
The assault is made attainable owing to the truth that most functions don’t shield the session tokens created after authentication is profitable, thus allowing a nasty actor to realize unauthorized entry.
What’s extra, there isn’t any validation carried out on the system that requested the session, which means any system can use the cookie till it expires. This makes it attainable to bypass the authentication step by buying the cookie via an AitM assault.
To make sure that the authenticated session is used solely by the shopper, it is suggested to undertake a way generally known as token binding, which permits functions and companies to cryptographically bind their safety tokens to the Transport Layer Safety (TLS) protocol layer.
Whereas token binding is presently restricted to Microsoft Edge, Google final month introduced a brand new characteristic in Chrome referred to as Gadget Certain Session Credentials (DBSC) to assist shield customers towards session cookie theft and hijacking assaults.
