Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Is Finally Making Two-Step Verification Less Annoying (theguardian.com)

Posted by msmash on from the security-measures dept.

Google, which first introduced two-factor authentication about five years ago, is now making it a little easier to utilize this security measure. Instead of users having to manually enter a code that they received in a text message, they will now see a prompt message that only requires them to tap on the phone to approve login requests. The feature will be available on Android as well as iOS soon. The Guardian reports: You do have to turn this service on even if you already use two-step. To turn it on you need to first login to Google and then go to My Account > Sign-in & security > Signing in to Google > 2-step Verification. There you will have options to turn on two-step verification, add Google prompt as an extra form of authentication or replace your existing two-step method. Google isn't the first to use notifications as a method of login verification, both Twitter and Facebook allow users to confirm logins using notifications from their respective smartphone apps. But even they require entering the app, viewing the alert and tapping confirm. Google's one-tap confirm is much faster.

26 of 136 comments (clear)

  1. Why would I want 2 step by Anonymous Coward · · Score: 2, Insightful

    And why on God's green earth would I want to give Google my telephone number?

    1. Re:Why would I want 2 step by Anonymous Coward · · Score: 5, Insightful

      You really think they don't have it already?

      That's... cute.

    2. Re:Why would I want 2 step by __aaclcg7560 · · Score: 3, Informative

      Two-factor authentication is based on what you know (your password) and what you have (your cellphone). If script kiddies tries to hack into your account by guessing your password, they will still need your cellphone before they can log into your account.

    3. Re:Why would I want 2 step by JackieBrown · · Score: 2

      It's a security thing. If someone gets into my gmail account, they can reset the passwords for most of my accounts.

      With two step, even if they have the password for my gmail account, they need a random number that google sends to my phone each time I (or someone) tries to log into my account.

      My bank does this too.

    4. Re:Why would I want 2 step by Jawnn · · Score: 4, Insightful

      Actually, my phone number is one of the things I would most trust Google with. Unlike all that web data Google has on me, there are long established regulations that govern what an entity may and may not do with my phone number.

    5. Re:Why would I want 2 step by cmiller173 · · Score: 2

      Alternatively a usb token like this $6 one I use would provide a secure second factor.

    6. Re: Why would I want 2 step by ikejam · · Score: 3, Insightful

      Perhaps so, but do consider this : if you have say a hundred friends (a fair percentage of whom will be using android ) who have you in their contacts, ( not them in yours which ofcourse is under your control) , it would be trivial for Google to know your contact number with a high level of certainty

    7. Re:Why would I want 2 step by __aaclcg7560 · · Score: 3, Informative

      And how exactly does it work if I do not have a cellphone?

      Google recommends these security tokens in the US as an alternative.

      https://support.google.com/accounts/answer/6103523?hl=en
      https://www.amazon.com/s/?field-keywords=%22FIDO%20U2F%20Security%20Key%22

    8. Re:Why would I want 2 step by CrimsonAvenger · · Score: 3, Insightful

      I take it that a "Telephone Book" is a strange idea where you come from?

      Yes, I know they don't usually do them for cell phones, but there isn't a really good reason why the notion should be outrageous or anything....

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    9. Re:Why would I want 2 step by Jawnn · · Score: 2

      Actually, my phone number is one of the things I would most trust Google with. Unlike all that web data Google has on me, there are long established regulations that govern what an entity may and may not do with my phone number.

      Don't be naive, Google will violate any "long established regulations", with impunity, whenever they want, to advance their core ADVERTISING business.

      [citation needed]
      How has Google run afoul of regulations governing mobile or wireline telephony? Right. They haven't. Given that they're Google, if they were going to behave in the manner you fear, they would have done so by now. They have not and they will not because there's nowhere near enough profit in telephony efforts compared to what they are already squeezing out of search, Android, Chrome, etc.

  2. I am not sur this is an improvement by Anonymous Coward · · Score: 5, Interesting

    I like the current setup as it does not require my phone to have a data connection. Not everywhere I have a computer connected to the internet do I have wifi available. The app generating a code seems more flexible in my opinion.

    1. Re:I am not sur this is an improvement by gmack · · Score: 2

      For cases like that, you can get a U2F key. It is a USB dongle so no internet connection required.

    2. Re:I am not sur this is an improvement by GIL_Dude · · Score: 4, Informative

      So, this is an improvement because it is just one step of the process. If it fails (due to the no data connection issue you mention), you just click to use another method and it fails back to the previous text message option. So no real downside on that count. The biggest drawback I have hit with it is that Google won't let you use both this new method and a hardware security key (I was using a Yubikey). You have to remove the hardware security key from your account in order to add this new method. That's really a bummer because the hardware keys didn't rely on your phone at all. You just have a small USB key that you pop into the computer and press a button when prompted.

  3. Perhaps I'm the only one by 93+Escort+Wagon · · Score: 4, Insightful

    But I don't find SMS two-factor with to be particularly burdensome. It's simple, it works, and it relies only on a de-facto standard method of communication that pretty much everyone already has access to - no vendor lock-in required.

    --
    #DeleteChrome
    1. Re:Perhaps I'm the only one by crashumbc · · Score: 2

      True, but how often does THAT happen? Just like locks on your door 2 FFA isn't meant to be the holy grail. Its just another layer of security and a very formidable one at that.

    2. Re:Perhaps I'm the only one by thegarbz · · Score: 2

      Maybe there's something I don't understand here because I grew up in a world where there was such a thing as a phone book which listed everyone's number, but ... do you really think Google doesn't already have your phone number?

  4. Requires data by ubergeek65536 · · Score: 3, Interesting

    It's useless if you don't have a data plan on your phone.

  5. Re:A Google App? by cryptizard · · Score: 3, Insightful

    I'm not sure you understand what this does. You might as well say how long do you think it will take for someone to make a fake Gmail app that steals your Google password? Or any other service for that matter? It is a completely orthogonal question to this topic.

  6. Re:Oh joy - more clickthrough. by Qzukk · · Score: 4, Insightful

    But how else am i going to watch tits.avi.scr.js.jpg.exe.com if I don't click Allow?!

    BTW, how many more versions of windows will continue to "hide extensions for known file types"?

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  7. Worse security by WPIDalamar · · Score: 4, Insightful

    This is probably way worse security for the techno-illiterate.

    Attacker enters password.
    Clueless user gets notification, taps it.
    Attacker is let in.

    Whereas before it would be:

    Attacker enters password.
    Clueless user gets a number that they don't know what to do with
    Attacker is not let in.

  8. Re:Oh joy - more clickthrough. by __aaclcg7560 · · Score: 2

    BTW, how many more versions of windows will continue to "hide extensions for known file types"?

    I don't expect that to change in any future version of Windows. Here's a link to fix your problem.

    http://windows.microsoft.com/en-us/windows/show-hide-file-name-extensions

  9. Obstacle by Vlijmen+Fileer · · Score: 2

    Ah yes.
    That obstacle to logging in, making it impossible to access Google services if you do not carry your phone, lost it, it got stolen, the battery is empty, it crashed, it's out of coverage area.
    Not sure how that can be made "less annoying".

  10. Re:Google Authenticator by EvilSS · · Score: 2

    No, obviously not.

    --
    I browse on +1 so AC's need not respond, I won't see it.
  11. Nobody has a hundred friends? by maggard · · Score: 4, Insightful

    I do. I'm nearly 50 years old, have lived in several places, have worked at a number of jobs over the years, had multiple romantic relationships in my life. I've made friends every year, in all of those places, through many diverse ways. Are all of the folks I've friended currently on my short list? No. But that list of a dozen close friends has evolved over time with new ones entering and others dropping off as we move about, go through various stages of life, some have died, etc. But they have my phone number. I have theirs. I may also have their closest friends or family members phone numbers. That adds up to well over a hundred people. And while I'm social I'm nobody compared to some of the butterflies I know. More than two people for every year of life? Those gregarious folks get, and use, that many numbers in a night on the town. No, for most of us non-hermetic folks I'd guess a hundred friends or more is entirely unsurprising.

    --
    I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
  12. Re:Oh joy - more clickthrough. by friedmud · · Score: 3, Insightful

    While I think this is a good idea... I can kind of understand what he's saying.

    Imagine this:

    1. Bad guys steal password
    2. Bad guys go to gmail.com and enter password
    3. Good guy receives notification that approval is needed for a login
    4. So used to just clicking Approve for this notification the good guy clicks Approve... and the Bad guys are in.

    That scenario couldn't happen with a pin code being sent... because the Bad guys would not receive the pin code and the Good guy wouldn't have anywhere to enter the pin code...

    I agree that it's pretty boneheaded... but the point of the parent is that we're all so used to clicking OK/Approve (and we REALLY will be if every website requires this kind of authentication) that many normal people might accidentally click Approve for bad requests...

  13. Re:Oh joy - more clickthrough. by Ash-Fox · · Score: 2

    4. So used to just clicking Approve for this notification the good guy clicks Approve... and the Bad guys are in.

    You have to unlock the phone first...

    --
    Change is certain; progress is not obligatory.