Google to slap two-factor across Apps via suspicious logins trigger

Google to slap two-factor across Apps via suspicious logins trigger

Summary: Google Apps users who haven't enabled two-factor authentication can expect Google to request their phone number in coming weeks as it implements a new security system.


Hackers that steal a user's Google Apps credentials may find them harder to use in future, after Google announced that it will soon be connecting up SMS two-factor authentication to its suspicious login warnings.

In the coming weeks, Google will be prompting all users to register their phone number for Apps. The move, noted by ZDNet's sister site CNET, effectively brings in two-factor authentication for all Google Apps users that haven't set up the feature already.

When two factor authentication is set up for Google Apps, users will need to input both their password and a separate code, sent either to the user's nominated phone number or generated by Google's Authenticator app, to log in. While the security feature does work to prevent attackers and has been rolled out for most major online services, it's often not mandatory. As a result, it's not been universally taken up by users, since it requires more work at login especially for desktop clients and mobile apps that aren't set up to accept codes.

In the near future, for Google Apps users that have not yet set up two-factor authentication, Google will use its analysis of suspicious logins to judge when to send users a 'Login Challenge' in the form of a verification code delivered via SMS.

"When a suspicious login is detected, we send a challenge to the user such as an SMS with a verification code to the user's phone and ask them to enter this code before we grant access to their account. This drastically reduces the chances of an unauthorized user accessing the account because the attacker would have to get a hold of the user's phone as well as the username and password," Google said in a support document.

Google adds that a 'suspicious login' can also include when a user doesn't follow "the sign in patterns that they have shown in the past".

Since the Login Challenge is only sent as an SMS to the user's phone, there's still a chance that they won't be able to pass the challenge — if they don't have their device to hand, for example — and means they can't fall back to Authenticator to generate the code. In that case, a Google Apps administrator will have the option to remove the Login Challenge, which is then automatically disabled for only 10 minutes, to allow the user to login normally.

Google Apps admins can also configure the system to receive alerts when Google detects a suspicious login on one of their user's accounts, warning them beforehand that a Login Challenge is on the way.

One issue preventing Google from switching on the new Login Challenge across the board is that it users will have had to have registered their phone numbers with their Google Apps account for it to work. To acquire the numbers, Google will use suspicious login alerts and introduce a field for users to enter their phone numbers at login.

"When we detect a suspicious login, users will be prompted to verify their identity by entering their phone number. Users who have not set up their phone number will see an interstitial to do so in the coming weeks. Google will use that phone number to verify their identity upon the next suspicious login. Once a user verifies their identity the alert is dismissed," the company said in a blog post that has since been taken down

Given the tricky task of collecting all those phone numbers, Google said it will "slowly roll out this feature for all domains over the coming weeks" and that it may be some time before users see the change. Also, it notes the launch will "only affect web logins and will not affect users who have 2-step verification enabled or who login through SSO (single sign on)."

Read more on Google Apps

Topics: Security, Google, Google Apps

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I don't give Google apps any information of any personal consequence

    and am not going to give Google my phone number on the pretext of protecting it. Just as with Snoople+, if forced to a choice of Google's Way, I'll take the highway.
    • It's not just Google

      Don't be fooled. The entire "two factor" FUD machine is about harvesting more personal information to cross-index and resell.
  • Personal cell phone for work accounts?

    Does this mean the Google is requiring personal cell numbers to access work accounts? If that is true, I would drop Google Apps in a heartbeat.
  • No

    Google, get your hands off my personal information, or I will get my hands off your Apps.
  • Phone is NOT required

    If you sign up for two factor authentication (which I did over a year ago), you can install the Authenticator app, then that will generate the number if required. There is no need for google to have your phone number - if you care about that.

    On the other hand, you can always wait until your identity has been stolen by the Russian mafia because of your weakly password protected service. And then whine about the lack of security.
  • Two problems with this.

    My first problem is that 2 step authentication process was simply a pain a good portion of the time because it did not work well on the variety of devices to which I connected. I eventually gave up it was such a pain every time I tried to access my google apps on something other than my primary devices.

    Second, I manage a number of google accounts for a variety of people and purposes. I work in a small non-profit, and I have moved almost all of our files to Google drive. Furthermore, I am involved in several other non-profit organizations and I have moved them over as well. Furthermore, I have also connected a number of people in my immediate family to google. While some of them have cell phones, not all of them do. Furthermore, many of them are really not that tech savvy and it will be an incredible headache for me to have to deal with if 2 step authentication is as buggy for them as it was for me, because they will all be calling me to "fix their computer."

    I moved to google in the first place to try to make my life helping manage various accounts easier. I appreciate the need for security, but I also appreciate the need for people to access their accounts and not have to fret over the technical details all the time.

    Finally, google has refused to let me link my phone number to various accounts (like my teenage son who does not yet have a cell phone) even though I am the only one with a cell phone and I do help manage the account.
    • Much the same problem

      I have much the same problem. My mother is on my Google Apps account, rarely uses a cell phone and simply will not give her cell phone number to anyone not in the immediate family. Other family members will find this extremely inconvenient. At the moment I'm not at all sure what I'm going to do to get this working.
  • This is just forcing everyone to 2-step verification

    Google is clearly stepping over the line with this one. They have made some huge assumptions that just aren't accurate. Great points by littlemas2. Also what about international travelers who choose to have country-specific SIM cards to use while traveling and thus save the ridiculous international roaming fees. These guys will be forced to use Authenticator. Personally I LOVE Authenticator and use it on my Google accounts. However, the setup of Authenticator and the resulting app-specific passwords is extremely challenging. Eve tech-savy users have trouble with getting it right.
  • Suspicious login events - a real threat

    It is interesting to see the debate here. This feature could really be useful for business users who have Google Apps for Business/Government/EDU, and not for consumer Gmail accounts. In those cases, I'm certain the security departments in these organizations would love a feature like this.

    While not directly related to 2FA, here is how we're proposing to capitalize on the Suspicious Login feature of Google Apps.
    Google Apps Reseller