Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google To Replace SMS Codes With Mobile Prompts in 2-Step-Verification Procedure (bleepingcomputer.com)

Posted by msmash on from the interesting-moves dept.

Starting next week Google will overhaul its two-step verification (2SV) procedure and replace one-time codes sent via SMS with prompts shown on the user's smartphone. From a report: This change in the Google 2SV scheme comes after an increase in SS7 telephony protocol attacks that have allowed hackers to take over people's mobile phone numbers to receive one-time codes via SMS and break into user accounts. The rollout process for this feature is scheduled to start next week when Google will invite users to try mobile prompts instead of receiving a one-time code via SMS. Users need an Internet-connected smartphone to use this feature. Every time users will try to log in, Google will show a prompt on their phone asking the account owner to approve the login request. There's no one-time code that users have to fill in, and users can authorize a login request with the tap of a button.

12 of 181 comments (clear)

  1. Terrible editors by Anonymous Coward · · Score: 2, Insightful

    I know stories are posted farther apart at night, but it's embarrassing to have stories three hours apart on a weekday afternoon. These editors suck. There used to be a lot of pornographic fiction involving Slashdot editors. I'd like to see what you guys can come up with to explain why the editors weren't posting stories.

    1. Re:Terrible editors by __aaclcg7560 · · Score: 2

      Some of my coworkers go out for a three-martini lunch on Fridays. A few might even return to work after lunch is over.

  2. Re:My iPhone is somewhere else... by xxxJonBoyxxx · · Score: 5, Funny

    >> I have to stop everything while I got fetch my iPhone from the kitchen table

    That will teach you to put your personal tracking device down, citizen.

  3. This already exists. What has changed? by J.+T.+MacLeod · · Score: 2

    Google has been doing phone app prompts for 2FA for a while.

    Is anything actually different with this system? Or is this just a campaign to encourage SMS code users to switch?

    1. Re:This already exists. What has changed? by PCM2 · · Score: 3, Informative

      Google has been doing phone app prompts for 2FA for a while.

      If you're talking about the Google Authenticator app, then yes, this is different. I started using it on my Galaxy S7 this week.

      The way it works is, you hit your username and login, and instead of a screen that asks you to type in the code you received, it basically just says "Wake up your phone." When you do, you immediately see a screen saying, "Is this you trying to login? Yes/No." You hit the Yes button and the site instantly logs you in. It's pretty slick, actually.

      --
      Breakfast served all day!
  4. Re:Won't affect me by jason2971 · · Score: 2

    There are alternate 2FA methods that can be used if you lose your phone-- an authenticator app (which may have been lost with your phone as well), a backup email address or (as a last resort) fall back to SMS verification.

  5. Re:My iPhone is somewhere else... by jason2971 · · Score: 3, Insightful

    Then you aren't the target user. I doubt you even use 2FA, if you don't keep track of your phone. So this won't affect you.

  6. Re:But I don't have a smartphone by Misagon · · Score: 2

    But what will you do when you are doing tech support for your mom who had managed to tap "accept" by mistake?

    I have been in exactly that situation when helping my mom when she unintentionally got 2FA on Microsoft's Outlook.com.

    --
    "We mustn't be caught by surprise by our own advancing technology" -- Aldous Huxley
  7. Re:My iPhone is somewhere else... by Misagon · · Score: 4, Insightful

    That exact use case - as an emergency phone in the car or summer cottage etc. - is why people still have "dumbphones" that can't run apps.
    Batteries in those can last for six months or more, where as a "modern" smartphone won't even last for a couple days when turned "off".

    --
    "We mustn't be caught by surprise by our own advancing technology" -- Aldous Huxley
  8. Re:My iPhone is somewhere else... by __aaclcg7560 · · Score: 4, Informative

    The battery in a normal phone self discharges the same as the battery in a dumbphone. The lion cells don't know what kind of device they're in.

    A smartphone never really sleep when its not being used. If you have a lot of apps that do background refresh, the battery life between charges is significantly shorter than a dumb phone. I've heard that the Facebook app is a notorious battery drainer.

  9. Re:And if one uses Thunderbird? by Obfuscant · · Score: 2

    I truly love it when Google sends me an email to my gmail account telling me that it didn't allow my device to log in to get my gmail because it was coming in from an unknown IP address. This truly is Dilbert levels of customer support.

  10. Re:And if one uses Thunderbird? by swillden · · Score: 4, Insightful

    I truly love it when Google sends me an email to my gmail account telling me that it didn't allow my device to log in to get my gmail because it was coming in from an unknown IP address. This truly is Dilbert levels of customer support.

    Nonsense.

    Those emails are important. Not when it actually was your device that was prevented from logging in, but when it wasn't. In that case, the email informs you that someone is trying to get into your account, and that they have your password. Which means you should change your password, right the hell now. Unless of course, you recognize the login attempt because you were the one that made it.

    If you want to stop getting those emails, turn on 2FA.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.