There are multiple ways end users can approve sign-in requests via two-factor authentication in Google apps, including tapping a security key or entering a verification code sent to their phone. Google has now added the capability to have employees approve a prompt that simply pops up on their phones.
However, admins cannot have Security Keys and the Google prompt enabled at the same time for now, and a data connection is required to use the latter. Android users will need updated Google Play Services to use it, and iOS users will need the Google Search app installed on their phone.
Chris Webber, security strategist at Centrify, said without MFA, attackers only need a stolen password, which today is very easy to get. With SMS, they need the password, and they need to socially engineer mobile carriers into redirecting text messages from the correct phone to another device. With in-app MFA, the app must be installed on a specific device, correlated with the user. This makes the bar even higher for attackers, as the social aspect is removed from the chain.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now