Google to slap two-factor across Apps via suspicious logins trigger
Hackers that steal a user's Google Apps credentials may find them harder to use in future, after Google announced that it will soon be connecting up SMS two-factor authentication to its suspicious login warnings.
In the coming weeks, Google will be prompting all users to register their phone number for Apps. The move, noted by ZDNet's sister site CNET, effectively brings in two-factor authentication for all Google Apps users that haven't set up the feature already.
When two factor authentication is set up for Google Apps, users will need to input both their password and a separate code, sent either to the user's nominated phone number or generated by Google's Authenticator app, to log in. While the security feature does work to prevent attackers and has been rolled out for most major online services, it's often not mandatory. As a result, it's not been universally taken up by users, since it requires more work at login especially for desktop clients and mobile apps that aren't set up to accept codes.
In the near future, for Google Apps users that have not yet set up two-factor authentication, Google will use its analysis of suspicious logins to judge when to send users a 'Login Challenge' in the form of a verification code delivered via SMS.
"When a suspicious login is detected, we send a challenge to the user such as an SMS with a verification code to the user's phone and ask them to enter this code before we grant access to their account. This drastically reduces the chances of an unauthorized user accessing the account because the attacker would have to get a hold of the user's phone as well as the username and password," Google said in a support document.
Google adds that a 'suspicious login' can also include when a user doesn't follow "the sign in patterns that they have shown in the past".
Since the Login Challenge is only sent as an SMS to the user's phone, there's still a chance that they won't be able to pass the challenge — if they don't have their device to hand, for example — and means they can't fall back to Authenticator to generate the code. In that case, a Google Apps administrator will have the option to remove the Login Challenge, which is then automatically disabled for only 10 minutes, to allow the user to login normally.
Google Apps admins can also configure the system to receive alerts when Google detects a suspicious login on one of their user's accounts, warning them beforehand that a Login Challenge is on the way.
One issue preventing Google from switching on the new Login Challenge across the board is that it users will have had to have registered their phone numbers with their Google Apps account for it to work. To acquire the numbers, Google will use suspicious login alerts and introduce a field for users to enter their phone numbers at login.
"When we detect a suspicious login, users will be prompted to verify their identity by entering their phone number. Users who have not set up their phone number will see an interstitial to do so in the coming weeks. Google will use that phone number to verify their identity upon the next suspicious login. Once a user verifies their identity the alert is dismissed," the company said in a blog post that has since been taken down.
Given the tricky task of collecting all those phone numbers, Google said it will "slowly roll out this feature for all domains over the coming weeks" and that it may be some time before users see the change. Also, it notes the launch will "only affect web logins and will not affect users who have 2-step verification enabled or who login through SSO (single sign on)."