The best way to protect online accounts is with a security key that ensures you’re the one signing in. However, enterprise users still have legacy systems like Internet Explorer or remote desktops that don’t support the new log-in method. Google now has security codes created using security keys for those scenarios.
One-time security codes can be used to log into legacy platforms where security keys aren’t supported directly. After signing into an unsupported browser with your username and password, “Get a one-time security code” is presented as an available two-factor authentication option.
This prompts you to “Sign in on another device with your security key to get a code” at https://g.co/sc in Chrome. After plugging in your key, a code will be generated to enter into the first browser. This is safer than getting codes from SMS text messages or phone calls.
For example, a user may need to access a web application that federates their Google identity, but only works on Internet Explorer 11. While the browser can’t communicate with a security key directly, the user can open a Chrome browser and generate a security code, which can then be entered in Internet Explorer to gain access to the application.
This notably allows security key-backed log-ins on iOS apps, Safari, Internet Explorer, remote desktops, and other legacy applications that don’t support FIDO protocols.
Before enabling this new policy, carefully evaluate if your organization needs security codes. Using security keys without security codes helps to provide maximum protection against phishing.
Google is enabling security codes for some G Suite accounts by default:
- Users subject to “Any” or “Any except verification codes via text, phone call” 2-Step Verification policies
- Users which are not subject to a specific 2-Step Verification policy, but that have chosen to use a security key.
This will help increase security key adoption at businesses that previously couldn’t use the 2FA/2SV method everywhere, and is rolling out over the coming weeks.