Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Google Android IOS Privacy Security IT Technology

Google Is Finally Making Two-Step Verification Less Annoying (theguardian.com) 136

Google, which first introduced two-factor authentication about five years ago, is now making it a little easier to utilize this security measure. Instead of users having to manually enter a code that they received in a text message, they will now see a prompt message that only requires them to tap on the phone to approve login requests. The feature will be available on Android as well as iOS soon. The Guardian reports: You do have to turn this service on even if you already use two-step. To turn it on you need to first login to Google and then go to My Account > Sign-in & security > Signing in to Google > 2-step Verification. There you will have options to turn on two-step verification, add Google prompt as an extra form of authentication or replace your existing two-step method. Google isn't the first to use notifications as a method of login verification, both Twitter and Facebook allow users to confirm logins using notifications from their respective smartphone apps. But even they require entering the app, viewing the alert and tapping confirm. Google's one-tap confirm is much faster.
This discussion has been archived. No new comments can be posted.

Google Is Finally Making Two-Step Verification Less Annoying

Comments Filter:
  • by Anonymous Coward

    And why on God's green earth would I want to give Google my telephone number?

    • by Anonymous Coward on Tuesday June 21, 2016 @09:48AM (#52359059)

      You really think they don't have it already?

      That's... cute.

      • I have no phone!

    • by __aaclcg7560 ( 824291 ) on Tuesday June 21, 2016 @09:50AM (#52359079)
      Two-factor authentication is based on what you know (your password) and what you have (your cellphone). If script kiddies tries to hack into your account by guessing your password, they will still need your cellphone before they can log into your account.
      • Right. And when I get a new phone then I no longer have what I had and I can't log into Google anymore. I never turned on this feature anyway because for a very long time I explicitly disabled texts. Is there an equivalent to password resets, a "I lost my dongle" button to click?

        • And when I get a new phone then I no longer have what I had and I can't log into Google anymore.

          Get a new phone, change your set up. Shouldn't be an impossible situation. Unless, of course, you have a problem with change.

          I never turned on this feature anyway because for a very long time I explicitly disabled texts.

          I was the same way until I got a data plan that provided unlimited texts.

        • There are emergency codes you print out and keep in a safe place in case you lose your phone. Or you can keep one of the fido tokens before as a spare, in case you lost your phone.

          And two-factor runs completely without text messages if you use an app to generate the otp. It's a standard algorithm and it can work completely offline.

    • by Anonymous Coward

      If you use Apple or Windows Phone, you probably want to avoid it... in fact, wrap your phone in a tinfoil case, just to be safe. If you use Android..... Google already has you phone number and this just makes 2-factor authentication far easier to use with no loss in security.

    • It's a security thing. If someone gets into my gmail account, they can reset the passwords for most of my accounts.

      With two step, even if they have the password for my gmail account, they need a random number that google sends to my phone each time I (or someone) tries to log into my account.

      My bank does this too.

    • I understand the sentiment but do you honestly believe that they don't already have it?

      • You do realize their is a difference is giving your phone number to someone as apposed to them having it because someone else gave it to them?
    • by Jawnn ( 445279 ) on Tuesday June 21, 2016 @10:11AM (#52359231)
      Actually, my phone number is one of the things I would most trust Google with. Unlike all that web data Google has on me, there are long established regulations that govern what an entity may and may not do with my phone number.
    • Alternatively a usb token like this $6 one I use [amazon.com] would provide a secure second factor.
    • by Anonymous Coward

      It stops people from "hacking" your account and making purchases against you. E.g. Sony do not have two factor authentication, and people regularly find someone guessing their password (or logged by LAN sniffers on compromised MS Windows machines). This account is likely to have payment details stored in Sony's system, just like fleabay, Amazon, Apple et al. Naughty hacker now logs in using your PSN details, "buys" tons of games, loads on to their console, and then reverts to their own account to play them.

      • by mlts ( 1038732 )

        Two step forces an attacker to go from passive harvesting to actively targeting people for attack. A list of brute forced passwords is useless against accounts that use 2FA. Without it, there is a good chance, the attacker will be able to find some accounts with the same or similar passwords.

    • by CrimsonAvenger ( 580665 ) on Tuesday June 21, 2016 @10:45AM (#52359511)

      I take it that a "Telephone Book" is a strange idea where you come from?

      Yes, I know they don't usually do them for cell phones, but there isn't a really good reason why the notion should be outrageous or anything....

    • Isn't just an app you install on the smartphone? No telephone number involved. You could get an affordable Android phone and only use it with wi-fi.
    • Two words: Password recovery.

      Google forums are full of "clever" people who went from

      And why on God's green earth would I want to give Google my telephone number?

      to "why can't Google just text me a new password to my cell" without any transition....

  • by Anonymous Coward on Tuesday June 21, 2016 @09:49AM (#52359063)

    I like the current setup as it does not require my phone to have a data connection. Not everywhere I have a computer connected to the internet do I have wifi available. The app generating a code seems more flexible in my opinion.

    • by gmack ( 197796 )

      For cases like that, you can get a U2F key. It is a USB dongle so no internet connection required.

    • by GIL_Dude ( 850471 ) on Tuesday June 21, 2016 @10:20AM (#52359307) Homepage
      So, this is an improvement because it is just one step of the process. If it fails (due to the no data connection issue you mention), you just click to use another method and it fails back to the previous text message option. So no real downside on that count. The biggest drawback I have hit with it is that Google won't let you use both this new method and a hardware security key (I was using a Yubikey). You have to remove the hardware security key from your account in order to add this new method. That's really a bummer because the hardware keys didn't rely on your phone at all. You just have a small USB key that you pop into the computer and press a button when prompted.
    • by AmiMoJo ( 196126 )

      I would assume that the code entry option remains as a backup should you be unable to get a data connection.

    • by EvilSS ( 557649 )

      I like the current setup as it does not require my phone to have a data connection. Not everywhere I have a computer connected to the internet do I have wifi available. The app generating a code seems more flexible in my opinion.

      Why do you think the app won't also give you a code if you need it because you are offline? Blizzard, Microsoft (on Android, they use Google Auth or Authy on iOS weirdly enough), and LastPass all have push auth requests but give you the option to manually input the code if you need to. I'm sure Google will as well.

    • Since they allow paper backups, I would assume you could still use the numbers... (disclaimer: haven't RTFA yet)
    • by cyn1c77 ( 928549 )

      I like the current setup as it does not require my phone to have a data connection. Not everywhere I have a computer connected to the internet do I have wifi available. The app generating a code seems more flexible in my opinion.

      Google is actually letting you choose from several different methods including " tapping a Security Key, by entering a verification code sent to their phone or, starting today, by approving a prompt like the one below that will pop up on their phone." So they are not requiring a data connection.

      Ref: http://googleappsupdates.blogs... [blogspot.co.uk]

  • Let's face it: the IT industry has, intentionally or otherwise, pretty much trained users to just robotically click "Yes" and "I Accept" on eight trillion things they don't understand. And now we will have eight trillion and one, and security will be worse for it.

    • That's not the IT industry, it's the software industry. The IT industry, of course, doesn't allow users to install software willy-nilly, especially if downloaded off the Internet and mindlessly clicking "Yes"/"I Accept" everything.
      • by Qzukk ( 229616 ) on Tuesday June 21, 2016 @10:30AM (#52359383) Journal

        But how else am i going to watch tits.avi.scr.js.jpg.exe.com if I don't click Allow?!

        BTW, how many more versions of windows will continue to "hide extensions for known file types"?

        • BTW, how many more versions of windows will continue to "hide extensions for known file types"?

          I don't expect that to change in any future version of Windows. Here's a link to fix your problem.

          http://windows.microsoft.com/en-us/windows/show-hide-file-name-extensions [microsoft.com]

        • BTW, how many more versions of windows will continue to "hide extensions for known file types"?

          Before you complain about this ask yourself:
          1) Did people know what a filetype was?
          2) Did the rate of success for these attacks change dramatically as a result?

          The most common infection vector for these types of files do NOT go through windows explorer. They are downloads complete with box asking if you want to open the file, or email attachments which show the file name in full. People were fooled before, people will continue to be fooled, and hiding or showing the file extension in an operating system doe

    • by Anonymous Coward

      The point of this form of two-step authentication is that you prove that you have physical possession of the cellphone associated with the account in addition to the password for the account. Having to manually enter a code does not provide any additional security over tapping on the phone - you either have the phone or you don't. So you might as well do it in the most convenient way possible.

      • by friedmud ( 512466 ) on Tuesday June 21, 2016 @12:26PM (#52360279)

        While I think this is a good idea... I can kind of understand what he's saying.

        Imagine this:

        1. Bad guys steal password
        2. Bad guys go to gmail.com and enter password
        3. Good guy receives notification that approval is needed for a login
        4. So used to just clicking Approve for this notification the good guy clicks Approve... and the Bad guys are in.

        That scenario couldn't happen with a pin code being sent... because the Bad guys would not receive the pin code and the Good guy wouldn't have anywhere to enter the pin code...

        I agree that it's pretty boneheaded... but the point of the parent is that we're all so used to clicking OK/Approve (and we REALLY will be if every website requires this kind of authentication) that many normal people might accidentally click Approve for bad requests...

  • A Google App? (Score:1, Offtopic)

    by Toad-san ( 64810 )

    And how long do you think it'll take for the Bad Guys [tm] to invent their own "one-tap app", that will look and act exactly like Google's .. or worse, will be phished or sneaked into your system without your knowing, will act like your phone, and will transmit everything it discovers to its real owners? Lessee, what is today .. Tuesday?

    • Re:A Google App? (Score:4, Insightful)

      by cryptizard ( 2629853 ) on Tuesday June 21, 2016 @10:28AM (#52359369)
      I'm not sure you understand what this does. You might as well say how long do you think it will take for someone to make a fake Gmail app that steals your Google password? Or any other service for that matter? It is a completely orthogonal question to this topic.
  • by 93 Escort Wagon ( 326346 ) on Tuesday June 21, 2016 @09:58AM (#52359135)

    But I don't find SMS two-factor with to be particularly burdensome. It's simple, it works, and it relies only on a de-facto standard method of communication that pretty much everyone already has access to - no vendor lock-in required.

    • My main problem with SMS two factor is that in order to do it, I need to tell them my phone number. This gives the service an unique ID.

      I much more prefer a yubikey based solution, where the protocol is open and one can implement whatever one wants on the client side (including an app where you have to tap, or an usb stick you have to put into the computer, etc).

      • by Threni ( 635302 )

        If you're using android (on a phone) then they have your mobile number. I think you need a phone number to sign up for any google service, don't you?

      • Maybe there's something I don't understand here because I grew up in a world where there was such a thing as a phone book which listed everyone's number, but ... do you really think Google doesn't already have your phone number?

    • by AmiMoJo ( 196126 )

      Cost is a problem. SMS is insanely expensive for what it is, and millions of users generating millions of SMS messages a day adds up to a lot of money. It also has issues traversing borders and networks, which can end up costing you a lot of money if you receive texts while roaming abroad.

      The rolling code system laid out in the RFC that Google implemented has none of those disadvantages, and the added advantage that it doesn't rely on the mobile network securing your message against eavesdropping. You also

      • by ceoyoyo ( 59147 )

        "You don't have to use Google's app."

        Even better, you CAN use Google's app. I'm looking into implementing secure authentication for a small project at work but I wasn't looking forward to having to write an app just for that. A bit of research and it turns out that I can just ask the end users to download Google's authenticator, Authy, or any of a bunch of apps, dongles, etc.

    • SMS is notoriously unsecure. The encryption is only between the phone and the tower. A hacker could potentially intercept the message anywhere else along the transmission route [duo.com]. To truly be secure, it has to be end-to-end encryption, like SSL on websites. Apple sort of has the right idea with iMessage, except they manage the end-to-end keys themselves [arstechnica.com] so they (or a hacker who breaks into their servers) could potentially read your messages. It needs to be done using keys generated and stored only on the
      • I understand the concern, but if your phone gets stolen, the thief will only have one of the pieces, right? they'd still need the actual password for the account
    • by Bengie ( 1121981 )
      Too bad it's not secure. SMS is easily intercepted because the telcom systems have no authentication. Lots of stories about SMS and phone call trivial interception have hit the tech news over the years.
    • by ceoyoyo ( 59147 )

      Google's authenticator is just a front end for a standard two-factor scheme. It's simple, it works, it relies on an actual standard, and pretty much anyone who has access to a computing device, including a cheap dongle, can use it, on or off line. Plus it doesn't involve your phone company.

      The encryption-based second factor is also good because anyone can implement it, for free, from random Slashdotter in his basement on up. Actually, anyone can use Google's authenticator app. Apparently even Microsoft

    • I don't like having to retype the code, and if I don't get it while the notification is showing, I have to tap my phone up to THREE WHOLE TIMES to open it in the messaging app!

      Oh, okay, it's not that big a hassle. It's only slightly more convenient, but I still like that. The Microsoft Authenticator already works that way (and is compatible with anything that can use the Google Authenticator), and I've found that it feels much faster and easier, even if the actual difference is pretty minor.

  • Does Google allow you to use Google Authenticator?
  • Requires data (Score:4, Interesting)

    by ubergeek65536 ( 862868 ) on Tuesday June 21, 2016 @10:19AM (#52359291)

    It's useless if you don't have a data plan on your phone.

    • by cyn1c77 ( 928549 )

      It's useless if you don't have a data plan on your phone.

      Google is actually letting you choose from several different methods including " tapping a Security Key, by entering a verification code sent to their phone or, starting today, by approving a prompt like the one below that will pop up on their phone." So they are not requiring a data connection.

      Ref: http://googleappsupdates.blogs... [blogspot.co.uk]

    • It's useless if you don't have a data plan on your phone.

      That depends. I find every situation where I am able to access the internet on a PC I'm usually in range of free WiFi too.

      Not to mention that the fallback of SMS still exists.

  • Worse security (Score:5, Insightful)

    by WPIDalamar ( 122110 ) on Tuesday June 21, 2016 @10:34AM (#52359427) Homepage

    This is probably way worse security for the techno-illiterate.

    Attacker enters password.
    Clueless user gets notification, taps it.
    Attacker is let in.

    Whereas before it would be:

    Attacker enters password.
    Clueless user gets a number that they don't know what to do with
    Attacker is not let in.

    • by EvilSS ( 557649 )
      To be fair the moron in your scenario probably won't turn on 2-factor to begin with since it's required or enable by default.
  • Ah yes.
    That obstacle to logging in, making it impossible to access Google services if you do not carry your phone, lost it, it got stolen, the battery is empty, it crashed, it's out of coverage area.
    Not sure how that can be made "less annoying".

  • Blizzard has similar functionality where the app will look at queued login attempts and ask for approval. Before that, it was IBM's ZTIC which was one of the first 2FA systems which did this.

    I wish this were open source, just like TOTP is right now. I use a third party application that allows me to sync my 2FA codes (encrypted, of course) among my devices, including my Linux boxes, and my NAS machines. Having the ability to just tap "approve" for SSH connections would be nice, but it likely would require

  • If they implement this properly it will be awesome with smartwatches!

    My school uses 2FA through a company called Duo and anytime I go to log in to a school website a notification pops up on my Apple Watch and I just need to touch "Approve" and I'm in. No fumbling for my phone or a key-fob... it's instant and convenient... takes all of the pain out of 2FA.

  • Thank goodness it's optional. I'll stick with the existing 2-factor authentication via SMS, thanks:
    • Existing 2-factor authentication can work with any old dumb phone
    • New 2-factor authentication requires a tablet or smartphone with a data connection *and* it requires you to install the Google Search app (which will no doubt be reporting back to Googs on your every action.
  • I've been doing this for months. I'm sure the service has been available for much longer.

  • But without google.

    Something like an android app and some web service coupled with a pam module. The login prompt then displays a number, the app displays the number as well and i can accept the login from the app with a single tap. Fallback to normal google authenticator.

An adequate bootstrap is a contradiction in terms.

Working...