Google is streamlining its two-factor authentication processes, removing the need for users to provide a phone number and enabling admins to better manage internal security policies.
Two-factor authentication, or 2FA for short, is at the crux of security for countless apps and end-users – enabling users to protect against potential account compromises by requiring a second point of verification in addition to their username and password.
A 2019 report from Microsoft found that 2FA blocks 99.9% of automated attacks – such as password spray and brute force attacks – and while all forms of 2FA help to bolster security, SMS-based 2FA unanimously ranks least secure compared to other methods.
For workplaces and users looking to keep on top of their security, 2FA is often carried out using passkeys or one-time codes through dedicated authenticator apps such as Authy, LastPass or Google Authenticator.
Meanwhile, Google’s 2FA has long required users provide the tech giant a phone number during setup, with users only being able to select their preferred 2FA method after having already enabled it with a phone number.
Google’s new approach, available from today, does away with this initial SMS step – allowing users to abstain from providing a phone number and directly set up their preferred 2FA method from the outset.
Two birds, one 2FA overhaul
Available to all Google Workspace customers and users with personal Google accounts – such as a Gmail address – the soft move from SMS authentication appears to be motivated by managerial ease-of-use and user security.
While Google did not explicitly state its reasoning behind the sudden change, the company’s 2FA guide page urges users to make use of Google’s in-house prompt authenticator, noting phone number-based 2FA can be subject to “SIM swap and other phone number-based hacks”.
SIM-swap scams work by utilising a victim’s compromised personal details to fraudulently request a new SIM card connection from a telecommunications provider, enabling a would-be attacker to ultimately take control of a given mobile number.
The attack method may appear niche, but it’s become increasingly popular among cyber criminals looking to commit fraud and intercept valuable 2FA codes – with telco Medion Australia paying a near $260,000 fine earlier this year after it failed to appropriately verify over 1,600 SIM-swap requests.
The Google Workspace team also said the change will “make it easier for admins” to enforce two-step verification policies in their organisations.
For workplace admins, SMS-based 2FA can not only complicate organisational bring-your-own-device (BYOD) requirements by mixing professional accounts with personal mobile phones, but can also create potential blindspots as users deviate from the organisation’s approved 2FA methods.
Google notes the new process is “particularly helpful” for organisations using time-based one-time password apps, as users can select their organisation’s preferred method before turning on 2FA, and without enabling SMS-based 2FA whatsoever.
Finally, the update will also help admins ensure user safety by no longer automatically removing 2FA – such as backup codes or Google Authenticator – from an account when its user turns their 2FA setting off.
While Google’s overhauled approach still allows users to choose SMS as their preferred 2FA, it implicitly encourages users to consider other options and, at the very least, stops funnelling them directly towards the least secure method.
