Google Is Finally Making Two-Step Verification Less Annoying

Google, which first introduced two-factor authentication about five years ago, is now making it a little easier to utilize this security measure. Instead of users having to manually enter a code that they received in a text message, they will now see a prompt message that only requires them to tap on the phone to approve login requests. The feature will be available on Android as well as iOS soon. The Guardian reports: You do have to turn this service on even if you already use two-step. To turn it on you need to first login to Google and then go to My Account > Sign-in & security > Signing in to Google > 2-step Verification. There you will have options to turn on two-step verification, add Google prompt as an extra form of authentication or replace your existing two-step method. Google isn't the first to use notifications as a method of login verification, both Twitter and Facebook allow users to confirm logins using notifications from their respective smartphone apps. But even they require entering the app, viewing the alert and tapping confirm. Google's one-tap confirm is much faster.

Why would I want 2 step

[Anonymous Coward]

And why on God's green earth would I want to give Google my telephone number?

Re:Why would I want 2 step

[Anonymous Coward]

You really think they don't have it already?

That's... cute.

Re: Why would I want 2 step

[ikejam]

Perhaps so, but do consider this : if you have say a hundred friends (a fair percentage of whom will be using android ) who have you in their contacts, ( not them in yours which ofcourse is under your control) , it would be trivial for Google to know your contact number with a high level of certainty

Re:

[Blymie]

Call logs are the real problem though. Every call Google Play Equipped phones make, every call that comes in, Google also has a record of that.

That, combined with other people's address book, gives them all they need.

Not that they'll ever get my phone number Willingly either.

Re:

[allo]

nope, they do not transfer call logs to their servers. If they do, it would be rather new and a reason to sue them.

Re:

[RavenLrD20k]

Ok...how about this... Do you do business with any companies that have your name and number? Have you ever had to hire some sort of service provider for a utility or home infrastructure (ie plumbing, electrical, HVAC, etc)? Have you ever placed an order for some part or device that was not kept on-site that you were required to provide a contact number for?

No one has 100 real friends. Just about everyone in modern society has at least 100 people that maintain you on their contact list. Out of those 100

Nobody has a hundred friends?

[maggard]

I do. I'm nearly 50 years old, have lived in several places, have worked at a number of jobs over the years, had multiple romantic relationships in my life. I've made friends every year, in all of those places, through many diverse ways. Are all of the folks I've friended currently on my short list? No. But that list of a dozen close friends has evolved over time with new ones entering and others dropping off as we move about, go through various stages of life, some have died, etc. But they have my phone number. I have theirs. I may also have their closest friends or family members phone numbers. That adds up to well over a hundred people. And while I'm social I'm nobody compared to some of the butterflies I know. More than two people for every year of life? Those gregarious folks get, and use, that many numbers in a night on the town. No, for most of us non-hermetic folks I'd guess a hundred friends or more is entirely unsurprising.

Re:

[thegarbz]

So you don't know anyone then? I know with 100% certainty that Google knows the phone number of every contact I've ever put in my phone and it's attached to their name and their most common email address, and all with zero option to opt in or out on their behalf.

That is a feature of Android as it is the feature of any messaging app, contacts organisers (gmail), or social media apps Google has ever released.

They know your number. Get over it.

Re:

[Xicor]

if you are on android they do....

How could they?

[HalAtWork]

I have no phone!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[HalAtWork]

No sim card... Or do you mean I should get a hangouts phone number and get SMS that way? That kinda puts me in a weird authentication loop

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[HalAtWork]

Oh :) Thanks never looked into it, I will now! Hope that will stop them asking me to enter a phone number about every 10 times I log into the web client

Re:Why would I want 2 step

[__aaclcg7560]

Two-factor authentication is based on what you know (your password) and what you have (your cellphone). If script kiddies tries to hack into your account by guessing your password, they will still need your cellphone before they can log into your account.

Re:

[Darinbob]

Right. And when I get a new phone then I no longer have what I had and I can't log into Google anymore. I never turned on this feature anyway because for a very long time I explicitly disabled texts. Is there an equivalent to password resets, a "I lost my dongle" button to click?

Re:

[__aaclcg7560]

And when I get a new phone then I no longer have what I had and I can't log into Google anymore.

Get a new phone, change your set up. Shouldn't be an impossible situation. Unless, of course, you have a problem with change.

I never turned on this feature anyway because for a very long time I explicitly disabled texts.

I was the same way until I got a data plan that provided unlimited texts.

Re:

[bickerdyke]

There are emergency codes you print out and keep in a safe place in case you lose your phone. Or you can keep one of the fido tokens before as a spare, in case you lost your phone.

And two-factor runs completely without text messages if you use an app to generate the otp. It's a standard algorithm and it can work completely offline.

Re:

[EvilSS]

"What you have" in the case of a text message is your cellphone number, which we've seen companies port over to the hacker's phone with enough social engineering.

I stick to google authenticator, and avoid using the phone for browsing the web and getting it hacked.

Google Authenticator is what the article is talking about.

Re:Why would I want 2 step

[__aaclcg7560]

And how exactly does it work if I do not have a cellphone?

Google recommends these security tokens in the US as an alternative.

https://support.google.com/accounts/answer/6103523?hl=en [google.com]
https://www.amazon.com/s/?field-keywords=%22FIDO%20U2F%20Security%20Key%22 [amazon.com]

Re:

[tepples]

Google recommends [FIDO] security tokens in the US as an alternative.

The page on support.google.com says this won't work with a web browser other than Chrome, such as if I'm testing my website's "Sign in with Google" functionality on other browsers (especially Firefox, Edge, and IE 11).

Re:

[ceoyoyo]

In addition to the other suggestions, Google uses a standard two-factor encryption protocol. You should be able to use any device, including a Desktop computer, that can run that code. I know there's a Python library.

Re:

[Nunya666]

And how exactly does it work if I do not have a cellphone?

You're funny. Someone on /. that doesn't have a cellphone. Yeah, right!

Software alternative: OTP

[DrYak]

Another alternative is to use TOTP (Time-derived One-time password):
an ever changing code that is based on a hash, computed out of the current time (hence the ever changing) and a shared secret that only you and google know.

Only someone possessing the shared secret can compute the correct code for that time.
The secret itself is never sent on the wire, only the current-time code derived of the secret is.

You can find apps running on tons of other hardware if you don't own an Android nor an iPhone (or simply d

Re:

[Anonymous Coward]

If you use Apple or Windows Phone, you probably want to avoid it... in fact, wrap your phone in a tinfoil case, just to be safe. If you use Android..... Google already has you phone number and this just makes 2-factor authentication far easier to use with no loss in security.

Re:

[JackieBrown]

It's a security thing. If someone gets into my gmail account, they can reset the passwords for most of my accounts.

With two step, even if they have the password for my gmail account, they need a random number that google sends to my phone each time I (or someone) tries to log into my account.

My bank does this too.

Re:

[andrewbaldwin]

I understand the sentiment but do you honestly believe that they don't already have it?

Re:

[Stan92057]

You do realize their is a difference is giving your phone number to someone as apposed to them having it because someone else gave it to them?

Re:Why would I want 2 step

[Jawnn]

Actually, my phone number is one of the things I would most trust Google with. Unlike all that web data Google has on me, there are long established regulations that govern what an entity may and may not do with my phone number.

Re:

[Jawnn]

Actually, my phone number is one of the things I would most trust Google with. Unlike all that web data Google has on me, there are long established regulations that govern what an entity may and may not do with my phone number.

Don't be naive, Google will violate any "long established regulations", with impunity, whenever they want, to advance their core ADVERTISING business.

[citation needed]
How has Google run afoul of regulations governing mobile or wireline telephony? Right. They haven't. Given that they're Google, if they were going to behave in the manner you fear, they would have done so by now. They have not and they will not because there's nowhere near enough profit in telephony efforts compared to what they are already squeezing out of search, Android, Chrome, etc.

Re:

[cmiller173]

Alternatively a usb token like this $6 one I use [amazon.com] would provide a secure second factor.

Re:

[Anonymous Coward]

It stops people from "hacking" your account and making purchases against you. E.g. Sony do not have two factor authentication, and people regularly find someone guessing their password (or logged by LAN sniffers on compromised MS Windows machines). This account is likely to have payment details stored in Sony's system, just like fleabay, Amazon, Apple et al. Naughty hacker now logs in using your PSN details, "buys" tons of games, loads on to their console, and then reverts to their own account to play them.

Re:

[mlts]

Two step forces an attacker to go from passive harvesting to actively targeting people for attack. A list of brute forced passwords is useless against accounts that use 2FA. Without it, there is a good chance, the attacker will be able to find some accounts with the same or similar passwords.

Re:Why would I want 2 step

[CrimsonAvenger]

I take it that a "Telephone Book" is a strange idea where you come from?

Yes, I know they don't usually do them for cell phones, but there isn't a really good reason why the notion should be outrageous or anything....

Re:

[jbmartin6]

Isn't just an app you install on the smartphone? No telephone number involved. You could get an affordable Android phone and only use it with wi-fi.

Re:

[bickerdyke]

Two words: Password recovery.

Google forums are full of "clever" people who went from

And why on God's green earth would I want to give Google my telephone number?

to "why can't Google just text me a new password to my cell" without any transition....

I am not sur this is an improvement

[Anonymous Coward]

I like the current setup as it does not require my phone to have a data connection. Not everywhere I have a computer connected to the internet do I have wifi available. The app generating a code seems more flexible in my opinion.

Re:

[gmack]

For cases like that, you can get a U2F key. It is a USB dongle so no internet connection required.

Re:I am not sur this is an improvement

[GIL_Dude]

So, this is an improvement because it is just one step of the process. If it fails (due to the no data connection issue you mention), you just click to use another method and it fails back to the previous text message option. So no real downside on that count. The biggest drawback I have hit with it is that Google won't let you use both this new method and a hardware security key (I was using a Yubikey). You have to remove the hardware security key from your account in order to add this new method. That's really a bummer because the hardware keys didn't rely on your phone at all. You just have a small USB key that you pop into the computer and press a button when prompted.

Re:

[AmiMoJo]

I would assume that the code entry option remains as a backup should you be unable to get a data connection.

Re:

[EvilSS]

I like the current setup as it does not require my phone to have a data connection. Not everywhere I have a computer connected to the internet do I have wifi available. The app generating a code seems more flexible in my opinion.

Why do you think the app won't also give you a code if you need it because you are offline? Blizzard, Microsoft (on Android, they use Google Auth or Authy on iOS weirdly enough), and LastPass all have push auth requests but give you the option to manually input the code if you need to. I'm sure Google will as well.

Re:

[RevRagnarok]

Since they allow paper backups, I would assume you could still use the numbers... (disclaimer: haven't RTFA yet)

Re:

[cyn1c77]

I like the current setup as it does not require my phone to have a data connection. Not everywhere I have a computer connected to the internet do I have wifi available. The app generating a code seems more flexible in my opinion.

Google is actually letting you choose from several different methods including " tapping a Security Key, by entering a verification code sent to their phone or, starting today, by approving a prompt like the one below that will pop up on their phone." So they are not requiring a data connection.

Ref: http://googleappsupdates.blogs... [blogspot.co.uk]

Oh joy - more clickthrough.

[ErikTheRed]

Let's face it: the IT industry has, intentionally or otherwise, pretty much trained users to just robotically click "Yes" and "I Accept" on eight trillion things they don't understand. And now we will have eight trillion and one, and security will be worse for it.

Re:

[__aaclcg7560]

That's not the IT industry, it's the software industry. The IT industry, of course, doesn't allow users to install software willy-nilly, especially if downloaded off the Internet and mindlessly clicking "Yes"/"I Accept" everything.

Re:Oh joy - more clickthrough.

[Qzukk]

But how else am i going to watch tits.avi.scr.js.jpg.exe.com if I don't click Allow?!

BTW, how many more versions of windows will continue to "hide extensions for known file types"?

Re:

[__aaclcg7560]

BTW, how many more versions of windows will continue to "hide extensions for known file types"?

I don't expect that to change in any future version of Windows. Here's a link to fix your problem.

http://windows.microsoft.com/en-us/windows/show-hide-file-name-extensions [microsoft.com]

Re:

[thegarbz]

BTW, how many more versions of windows will continue to "hide extensions for known file types"?

Before you complain about this ask yourself:
1) Did people know what a filetype was?
2) Did the rate of success for these attacks change dramatically as a result?

The most common infection vector for these types of files do NOT go through windows explorer. They are downloads complete with box asking if you want to open the file, or email attachments which show the file name in full. People were fooled before, people will continue to be fooled, and hiding or showing the file extension in an operating system doe

Re:

[Anonymous Coward]

The point of this form of two-step authentication is that you prove that you have physical possession of the cellphone associated with the account in addition to the password for the account. Having to manually enter a code does not provide any additional security over tapping on the phone - you either have the phone or you don't. So you might as well do it in the most convenient way possible.

Re:Oh joy - more clickthrough.

[friedmud]

While I think this is a good idea... I can kind of understand what he's saying.

Imagine this:

1. Bad guys steal password
2. Bad guys go to gmail.com and enter password
3. Good guy receives notification that approval is needed for a login
4. So used to just clicking Approve for this notification the good guy clicks Approve... and the Bad guys are in.

That scenario couldn't happen with a pin code being sent... because the Bad guys would not receive the pin code and the Good guy wouldn't have anywhere to enter the pin code...

I agree that it's pretty boneheaded... but the point of the parent is that we're all so used to clicking OK/Approve (and we REALLY will be if every website requires this kind of authentication) that many normal people might accidentally click Approve for bad requests...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[friedmud]

You don't when using Duo at least...

A Google App?

[Toad-san]

And how long do you think it'll take for the Bad Guys [tm] to invent their own "one-tap app", that will look and act exactly like Google's .. or worse, will be phished or sneaked into your system without your knowing, will act like your phone, and will transmit everything it discovers to its real owners? Lessee, what is today .. Tuesday?

Re:A Google App?

[cryptizard]

I'm not sure you understand what this does. You might as well say how long do you think it will take for someone to make a fake Gmail app that steals your Google password? Or any other service for that matter? It is a completely orthogonal question to this topic.

Perhaps I'm the only one

[93 Escort Wagon]

But I don't find SMS two-factor with to be particularly burdensome. It's simple, it works, and it relies only on a de-facto standard method of communication that pretty much everyone already has access to - no vendor lock-in required.

Re:

[NotInHere]

My main problem with SMS two factor is that in order to do it, I need to tell them my phone number. This gives the service an unique ID.

I much more prefer a yubikey based solution, where the protocol is open and one can implement whatever one wants on the client side (including an app where you have to tap, or an usb stick you have to put into the computer, etc).

Re:

[Threni]

If you're using android (on a phone) then they have your mobile number. I think you need a phone number to sign up for any google service, don't you?

Re:

[thegarbz]

Maybe there's something I don't understand here because I grew up in a world where there was such a thing as a phone book which listed everyone's number, but ... do you really think Google doesn't already have your phone number?

Re:

[AmiMoJo]

Cost is a problem. SMS is insanely expensive for what it is, and millions of users generating millions of SMS messages a day adds up to a lot of money. It also has issues traversing borders and networks, which can end up costing you a lot of money if you receive texts while roaming abroad.

The rolling code system laid out in the RFC that Google implemented has none of those disadvantages, and the added advantage that it doesn't rely on the mobile network securing your message against eavesdropping. You also

Re:

[ceoyoyo]

"You don't have to use Google's app."

Even better, you CAN use Google's app. I'm looking into implementing secure authentication for a small project at work but I wasn't looking forward to having to write an app just for that. A bit of research and it turns out that I can just ask the end users to download Google's authenticator, Authy, or any of a bunch of apps, dongles, etc.

Re:

[AmiMoJo]

I wish RDP supported two factor auth.

Re:

[Solandri]

SMS is notoriously unsecure. The encryption is only between the phone and the tower. A hacker could potentially intercept the message anywhere else along the transmission route [duo.com]. To truly be secure, it has to be end-to-end encryption, like SSL on websites. Apple sort of has the right idea with iMessage, except they manage the end-to-end keys themselves [arstechnica.com] so they (or a hacker who breaks into their servers) could potentially read your messages. It needs to be done using keys generated and stored only on the

Re:

[alvarogmj]

I understand the concern, but if your phone gets stolen, the thief will only have one of the pieces, right? they'd still need the actual password for the account

Re:

[Bengie]

Too bad it's not secure. SMS is easily intercepted because the telcom systems have no authentication. Lots of stories about SMS and phone call trivial interception have hit the tech news over the years.

Re:

[ceoyoyo]

Google's authenticator is just a front end for a standard two-factor scheme. It's simple, it works, it relies on an actual standard, and pretty much anyone who has access to a computing device, including a cheap dongle, can use it, on or off line. Plus it doesn't involve your phone company.

The encryption-based second factor is also good because anyone can implement it, for free, from random Slashdotter in his basement on up. Actually, anyone can use Google's authenticator app. Apparently even Microsoft

Re:

[sabbede]

I don't like having to retype the code, and if I don't get it while the notification is showing, I have to tap my phone up to THREE WHOLE TIMES to open it in the messaging app!

Oh, okay, it's not that big a hassle. It's only slightly more convenient, but I still like that. The Microsoft Authenticator already works that way (and is compatible with anything that can use the Google Authenticator), and I've found that it feels much faster and easier, even if the actual difference is pretty minor.

Re:

[cryptizard]

Get a Yubikey or other Universal 2 Factor device. Amazon has one for $6.

Re:

[EvilSS]

> I don't find SMS two-factor with to be particularly burdensome

I do. This year I spent my vacation on a boat. No phone signals. But, at the top of mast was a 4G dongle, so we had fast WiFi on board.

This summer, I'll spend two weeks in another remote location with little/no phone coverage - but plenty of wifi hotspots.

How do I access my email if I have WiFi, but no phone coverage to receive SMS?

At least I'll be able to get into GitHub - they let you use your prefered TOTP software one your own device. No SMS.

You use the authenticator app and use the code it gives you and enter it manually. Jesus this isn't an either/or. Every other push-auth app out there does this.

Re:

[crashumbc]

^^ this

And Google give you back-up codes to use, you do have them right?

Re:

[crashumbc]

True, but how often does THAT happen? Just like locks on your door 2 FFA isn't meant to be the holy grail. Its just another layer of security and a very formidable one at that.

Re:

[Jawnn]

LOL, Microsoft has been doing this for a long time already.

So has Duo Security. I wonder what this move by Google will do to their business model.

Re:

[friedmud]

Duo's solution is awesome... even works perfectly with my Apple Watch! When I try to sign on to a website using Duo I get a message on my Watch that allows me to immediately approve the access... without getting out my phone or fumbling for a key-fob.

Can't wait to see this in action in other places! Hopefully Google will add this capability to Authenticator...

Re:

[cryptizard]

Ok, but if they get your phone they can still read the SMS messages so the attack is exactly the same...

Re:

[NotInHere]

Simple: get a new email address only used for "important" logins: emails domain names, everything important to you.

Then stash the login credentials for that one away in a safe or something and hope the provider doesn't delete it because you almost don't use it.

Re:

[account_deleted]

Comment removed based on user account deletion

Google Authenticator

[pauljlucas]

Does Google allow you to use Google Authenticator?

Re:

[EvilSS]

No, obviously not.

Requires data

[ubergeek65536]

It's useless if you don't have a data plan on your phone.

Re:

[cyn1c77]

It's useless if you don't have a data plan on your phone.

Google is actually letting you choose from several different methods including " tapping a Security Key, by entering a verification code sent to their phone or, starting today, by approving a prompt like the one below that will pop up on their phone." So they are not requiring a data connection.

Ref: http://googleappsupdates.blogs... [blogspot.co.uk]

Re:

[thegarbz]

It's useless if you don't have a data plan on your phone.

That depends. I find every situation where I am able to access the internet on a PC I'm usually in range of free WiFi too.

Not to mention that the fallback of SMS still exists.

Worse security

[WPIDalamar]

This is probably way worse security for the techno-illiterate.

Attacker enters password.
Clueless user gets notification, taps it.
Attacker is let in.

Whereas before it would be:

Attacker enters password.
Clueless user gets a number that they don't know what to do with
Attacker is not let in.

Re:

[EvilSS]

To be fair the moron in your scenario probably won't turn on 2-factor to begin with since it's required or enable by default.

Obstacle

[Vlijmen Fileer]

Ah yes.
That obstacle to logging in, making it impossible to access Google services if you do not carry your phone, lost it, it got stolen, the battery is empty, it crashed, it's out of coverage area.
Not sure how that can be made "less annoying".

Wish this standard were open...

[mlts]

Blizzard has similar functionality where the app will look at queued login attempts and ask for approval. Before that, it was IBM's ZTIC which was one of the first 2FA systems which did this.

I wish this were open source, just like TOTP is right now. I use a third party application that allows me to sync my 2FA codes (encrypted, of course) among my devices, including my Linux boxes, and my NAS machines. Having the ability to just tap "approve" for SSH connections would be nice, but it likely would require

Re:

[account_deleted]

Comment removed based on user account deletion

Aweseome With Smart Watches!

[friedmud]

If they implement this properly it will be awesome with smartwatches!

My school uses 2FA through a company called Duo and anytime I go to log in to a school website a notification pops up on my Apple Watch and I just need to touch "Approve" and I'm in. No fumbling for my phone or a key-fob... it's instant and convenient... takes all of the pain out of 2FA.

Re:

[viperidaenz]

This requires your phone to have been recently unlocked, so you can't just steal someones phone. If it hasn't been recently unlocked, it makes you enter your unlock code.

Re: Aweseome With Smart Watches!

[friedmud]

Not that I can tell... do you have some documentation stating that?

Do not want

[scdeimos]

Thank goodness it's optional. I'll stick with the existing 2-factor authentication via SMS, thanks:

• Existing 2-factor authentication can work with any old dumb phone
• New 2-factor authentication requires a tablet or smartphone with a data connection *and* it requires you to install the Google Search app (which will no doubt be reporting back to Googs on your every action.

Slashdot is finally hearing about old news

[viperidaenz]

I've been doing this for months. I'm sure the service has been available for much longer.

I want this for servers

[allo]

But without google.

Something like an android app and some web service coupled with a pam module. The login prompt then displays a number, the app displays the number as well and i can accept the login from the app with a single tap. Fallback to normal google authenticator.

Re:

[mlts]

There are more than just Google's app for authentication. Amazon has similar, and there are a number of third party alternatives, some with dark themes.

Re:

[account_deleted]

Comment removed based on user account deletion