Given today’s security threats, enabling two-factor authentication on all your accounts is highly encouraged. However, not all 2FA is the same, with the latest consensus being to ditch SMS for Security Keys. Google is now letting G Suite admins disable existing telephony options.
Google refers to 2FA as “2-Step Verification” across its products and now letting admins disable SMS or voice codes for more secure methods. Text messages and phone numbers are increasingly susceptible to spoofing:
As awareness of the potential vulnerabilities associated with SMS and voice codes has increased, some admins asked us for more control over the ability to use phone-based 2-Step Verification methods within organizations.
This new admin policy will prevent users from setting up SMS or hearing voice codes over the phone when trying to log into a Google service. It comes as Google is a big advocate of hardware second factor that requires a user to be in possession of a small device that’s either paired over Bluetooth or plugs into the phone/computer.
Google last year released its own line of Titan Security Keys, and noted how its 85,000 employees have yet to be phished after requiring keys. Meanwhile, the other 2SV method is a “Google Prompt,” which involves a dialogue on your phone confirming that you’re signing in. For its part, Google in 2017 began defaulting from SMS to the Prompt for new 2SV setups.
The new “Any except verification codes via text, phone call” option joins “Any” and “Only Security Key” in G Suite settings for administrators.
More about two-factor authentication:
- The Pixelbook’s power button can double as a U2F security key
- Gmail for iOS now receives 2-Step Verification Prompts, new default over Google app
- Less than 10% of Google account owners are using two-factor authentication