Two-factor authentication (2FA) — or 2-step verification (2SV) in Google’s parlance — is a crucial security measure. G Suite is now adding the ability to restrict codes to the same device or network on which they’re generated.
In the hierarchy of 2FA methods, physical security keys that have to be plugged into the device you’re logging on from to confirm your identity are the most secure. There are concerns about security codes that have to be manually entered being intercepted by malicious parties, but they are still needed for legacy devices.
Google is now adding a login option where security codes can only be used on the same device or local network (NAT or LAN) they were generated from. This new option replaces a blanket default setting not allowing security codes.
G Suite admins now have three related settings (Admin console > Security > Advanced security settings). The last allows security codes to be used on other devices and networks, like when accessing a remote server or a virtual machine.
- Don’t allow users to generate security codes: Users can’t generate security codes.
- Allow security codes without remote access: Users can generate security codes and use them on the same device or local network (NAT or LAN).
- Allow security codes with remote access: Users can generate security codes and use them on the same device or local network (NAT or LAN), as well as other devices or networks, such as when accessing a remote server or a virtual machine.
Framed as a way to make “security codes more secure,” Google notes how the legacy authentication method is “commonly used” on devices that are actually capable of supporting security keys and compatible browsers, like Chrome.
The new restricted security code option allows that use case to be satisfied while reducing some potential vulnerabilities. Unrestricted codes will still be available for users who need them (such as those using remote servers or virtual machines).
There will be no user-facing changes until a G Suite admin makes a change. This option to restrict security codes will roll out starting today.
FTC: We use income earning auto affiliate links. More.