In a blog post commemorating World Password Day, Google announced the move to make users sign in via a second step after entering a password, such as a mobile app.
“Today we ask people who have enrolled in two-step verification (2SV) to confirm it’s really them with a simple tap via a Google prompt on their phone whenever they sign in. Soon we’ll start automatically enrolling users in 2SV if their accounts are appropriately configured,” wrote Mark Risher, director of product management, identity and user security. “Using their mobile device to sign in gives people a safer and more secure authentication experience than passwords alone.”
According to Risher, Google is also working on creating advanced security technologies into devices to make this multi-factor authentication seamless and even more secure than a password. “For example, we’ve built our security keys directly into Android devices, and launched our Google Smart Lock app for iOS, so now people can use their phones as their secondary form of authentication,” Risher said.
Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, explains, “Rotating and choosing passwords is one of the biggest causes of cyber fatigue, so organizations can reward employees with privileged access security solutions that will eliminate one of their biggest work headaches and introduce security solutions that they will want to use.”
“My suggestion is to use MFA to reduce cyber fatigue, rather than add to it. MFA should be used to make authenticating more efficient, reducing the need for users to type in their passwords or even the need to create new passwords as humans are the worst at choosing long complicated passwords so the less we do that the more we reduce that risk, says Carson. “Combining MFA with Privileged Access Management (PAM) also further improves security by moving security controls to being risk based and adaptive to the business risks.
Carson adds, “Password hygiene should always be part of employee training and cyber awareness training. Once someone knows how to connect to the internet they should be educated on how to use a password manager. Organizations must help employees move passwords into the background so they do not have to choose or remember passwords, using a privileged access security solutions helps organizations reduce the risk of weak passwords which is a common cause of many security incidents and data breaches.”
Setu Kulkarni, Vice President, Strategy at WhiteHat Security, says, “This is an important step forward. It could end up being a mild annoyance for the millions who have not chosen to be 2FA yet. However, for the next generation, this will become a part of life – a habit. This move does beg a question though: will this end up creating a haves & have nots divide? 2 step verification (2SV) does mean that one needs to have a mobile device. Will this move force earlier adoption of mobile devices in our youngest generation? Will this force an earlier generation to look at their mobile phones differently? These are questions that will get answered along the way, but something to think about. In addition to 2SV, I recommend using Google’s password checkup – it is a simple yet effective way to know about all the sites/apps you have used your Google ID to login and if your passwords are safe or not on those sites/app.”
Source: https://www.securitymagazine.com/articles/95160-google-wants-to-enable-mfa-by-default