Google announced on Monday that it’s streamlining two-factor authentication (2FA) for customers using Workspace and personal accounts.

Also known as 2-Step Verification (2SV), it enhances the security of users’ accounts by helping prevent unauthorized access in case passwords are compromised.

You may be interested in: Cybersecurity Monitoring Service: Your Digital Guardian

The new modification requires installing a second-step mechanism, such as an authenticator app or a physical security key, before activating 2FA, thus eliminating the less secure SMS-based authentication.

“This is especially useful for organizations using Google Authenticator (or other equivalent time-based one-time password (TOTP) apps),” the firm stated. “Before, users could add Authenticator only after enabling 2SV with a phone number.”

Hardware security key owners have two options for integrating them with their accounts: They can either register a FIDO1 credential on the hardware key or assign a passkey, which is a FIDO2 credential.

Google advises that if the admin policy for “Allow users to skip passwords at sign-in by using passkeys” is disabled, Workspace accounts may still require users to enter their passwords along with their passkey.

Another significant change is that users’ enrolled second steps will no longer be automatically deleted if they disable 2FA in their account settings.

Google said, “The second factor will be removed as before, to ensure user off-boarding workflows remain unaffected when an administrator turns off 2SV for a user from the Admin console or via the Admin SDK.”

The move coincides with the search behemoth’s announcement that over 400 million Google accounts used passkeys for passwordless authentication during the previous year.

Unlike passwords, which are susceptible to theft through credential harvesting or malware, modern authentication methods such as FIDO2 are designed to resist phishing and session hijacking attacks. They leverage cryptographic keys generated by and tethered to computers and smartphones for user verification.

A threat actor could, however, circumvent FIDO2 by launching an adversary-in-the-middle (AitM) attack that can take over user sessions in apps that employ single sign-on (SSO) solutions like Microsoft Entra ID, PingFederate, and Yubico, according to recent research from Silverfort.

“A successful MitM attack exposes the entire request and response content of the authentication process,” stated security researcher Dor Segal.

“Once it’s over, the attacker can take over the victim’s session by obtaining the produced state cookie. In other words, once the authentication is over, the program does not validate anything.”

The vulnerability stems from the widespread practice of apps failing to safeguard the session tokens generated upon successful authentication, thereby enabling malicious actors to gain unauthorized access.

Moreover, there is typically no validation of the device requesting the session, allowing any device to utilize the cookie until it expires. This facilitates the acquisition of the cookie through a Man-in-the-Middle (MitM) attack, circumventing the authentication process.

To ensure that the authenticated session is exclusively utilized by the client, the adoption of the token binding method is advised. This approach allows applications and services to securely link their security tokens to the Transport Layer Security (TLS) protocol layer.

While token binding is currently supported only by Microsoft Edge, Google recently introduced Device Bound Session Credentials (DBSC), a new Chrome feature. DBSC is engineered to defend against session cookie theft and hijacking attempts, further bolstering security measures.

REFERENCE