Why is Google Enforcing Multi-factor Authentication?

Is this option the most preferred best practice?

  • Total voters
    15
Lamia

Lamia

I was hired recently to roll-out 2FA for an entire university in the Southern Hemisphere. Several of the staff members kicked against it and so some students. But they saw it coming a year before. It has now being enforced University-wide.

Some staff and students demanded new age phones for them to use it since they live with dummy phones. Infact, more than one student don't have a mobile phone number; for one, his family go by daily needs - banking etc - with his wife's mobile. If only they can do without it. And for some staff members, do imagine the comments, objections and counteractions from them.

Why would Google enforce it on selected millions of her users to start with? You don't have to further educate us on 2FA benefits. Is there a small business with comparable free service to switch to? I'm aware of the privacy & encrypted email providers - protonmail, tutano, etc - yet some different Organisations would do. Must these FAANG keep deciding for us?
 
  • Thanks
Reactions: a6h
Because it's hard to remember long password and the password can be brute forced. The login process is changing to certificates on the TPM. The next step is those certificates to be moved from SHA to post-quantum crypto.
 
I think there is nothing wrong with enforcing 2FA in a lot of situations. However, if 2FA/MFA becomes synonymous with "must have a (smart)phone" then yeah... that's a no-go in my opinion.

There are plenty of other second-factor options to choose from.
 
I'm not against 2FA, but against the ways it often gets implemented.
One thing that bothers me at the moment is a lot of 2FA are doing the "time based one time password compatible with Google Authenticator".
It's the "compatible with..." that bothers me. Most people just download Google Authenticator which gives yet another hook.
 
mer said:
I'm not against 2FA, but against the ways it often gets implemented.
One thing that bothers me at the moment is a lot of 2FA are doing the "time based one time password compatible with Google Authenticator".
It's the "compatible with..." that bothers me. Most people just download Google Authenticator which gives yet another hook.
Click to expand...
Correct. Most big guns have their MFA apps to use like Google. Xero/Xerox is one of such. We end up having several MFAs incompatible with one another.
 
  • Like
Reactions: mer
I have 2FA whenever is possible (i.e. FreeBSD forums) but I don't think is something that should be forced because people should be able to make their own decisions. If you're stupid and use really stupid passwords, feel free to go on social networks to say "amagad I've being hacked" ?. And actually, I've got really annoyed when some sites forces 2FA because usually the implementation is dreadful, like "you should use a password starting with a number" or "your password shouldn't have this or that" or "you should register a smartphone" while you can have 2FA without this kind of contraptions (security/keepassxc can do this for you without a smartphone, for instance).
 
shkhln said:
I don't remember Google enforcing anything, however their primary auth method works via TOTP, not some lame SMS service. (You definitely don't want to give Google your phone number though, they'll enable account restore through SMS, which is obviously a huge risk.)
Click to expand...
blog.google

Making sign-in safer and more convenient

Making sign-in safer
blog.google blog.google

Basically they’re going to change the policy from opt-in to 2FA to opt-out from 2FA. In case Google would opt-out from letting their users opting-out, then I will opt-out from Google.
 
I'm honestly unable to understand that blog post. I recognize some English words, but there is just too much PR-speak. What are they rolling out? Some ssh key auth equivalent?
 
shkhln said:
I'm honestly unable to understand that blog post. I recognize some English words, but there is just too much PR-speak. What are they rolling out? Some ssh key auth equivalent?
Click to expand...
Let me read it for you:
... which requires a simple tap on your mobile device to prove it’s really you trying to sign in. And because we know the best way to keep our users safe is to turn on our security protections by default, we have started to automatically configure our users’ accounts into a more secure state. By the end of 2021, we plan to auto-enroll an additional 150 million Google users in 2SV and require 2 million YouTube creators to turn it on. ...
Click to expand...

2SV = Two-Step Verification is just another name for 2FA. Android users are identified by their phone numbers and those are already fucked by Google anyway. iOS users are asked to use Chrome and the Google Password Manager. It does not need much to imagine that these are working with some kind of crypto tokens. Equivalent to ssh key authentication? I guess no, because this would be 1SV only. Google requires you to have a password.
 
That tells me nothing whether those phone keys (for the lack of better term) replace other auth factors or how I can backup/regenerate them. You know, actually important things. As for the automatic enroll, you give Google your phone number — you get what you deserve. (Yes, it's very difficult to avoid, but that's another issue.)
 
Friendly reminder that MFA isn't just for people who lose their passwords often. Databases get broken into all the time, even the likes of Google, Facebook et. al have been known to fail to secure their logs or apply encryption / salts to passwords from time to time. Services like HaveIBeenPwned are only helpful when a credential database has been leaked, and so without MFA there's nothing in the security stack that can differentiate between "correct" login attempts and "incorrect but still authenticated". A lot of places are adding on to the traditional "what you have / what you know / who you are" setups by also including "what you do" and "where you are" factors, i.e. the latter (did this person log in from France when they are normally in California?) has been helpful for some of the institutions that I work with. Counterintuitively, even NIST now recommends a shorter password that is easier to remember and not changed often (as long as it's paired with MFA) to solutions that require often-rotated long passwords with minimum character/symbol counts.

Now, more specifically: I do recommend avoiding SMS-based MFA. Hardware-based tokens, TOTP-based tokens, or push notifications tend to be more secure. So, the Big Tech moves toward mandatory MFA are important, and probably good for the security culture in general.
 
  • Like
Reactions: mer
shkhln said:
(You definitely don't want to give Google your phone number though, they'll enable account restore through SMS, which is obviously a huge risk.)
Click to expand...
I've actually been thinking about this a lot lately. I use 2FA on Google with my phone and phone number, but I'm worried I could (theoretically) lose access to my phone number. I would prefer account restore through my secondary email address only. Is this what you were talking about, and, if so, could you comment more on it?
 
shkhln said:
That tells me nothing whether those phone keys (for the lack of better term) replace other auth factors
Click to expand...
I suspect it's some kind of enhancement for "remember this computer" feature, but the blog post (and some people there as well) keeps treating me like a dummy.
 
Scribner said:
I've actually been thinking about this a lot lately. I use 2FA on Google with my phone and phone number, but I'm worried I could (theoretically) lose access to my phone number. I would prefer account restore through my secondary email address only. Is this what you were talking about, and, if so, could you comment more on it?
Click to expand...
There isn't any kind of safe restore strategy at all (secondary email sounds incredibly risky). Google allows you to generate and print unlocking codes on paper, if you lose those you are completely screwed.
 
Google hasn't been "mandating" it, but they certainly have been popping up a lot of reminders. They also have a selection of methods, at one point in time I think SMS was their primary, but they've obviously changed it.

Email is a good alternative but "I'm trying to log into my email that you want me to 2FA with and you just sent the 2FA to the email I'm trying to log into". Almost mandates you having 2 email accounts on separate providers.

Hardware things like yubikeys are nice, but even then recommendations seem to be "have more than one yubikey". Kind of related, does a yubikey work on a FreeBSD system? If it's been discussed somewhere, a link is fine.

Google and Facebook also say "we'll ask for 2FA if the login is from a computer we don't recognize" so it's not asked for every time.
Banking stuff a lot seem to say "remember this computer" which seems to defeat the purpose of 2FA. Amazon also has the "remember me".

There are some apps that are compatible with Google Authenticator (I think one our corp sec guy recommended was called something like andOTP) that you can push stuff to the cloud so if you lost your phone, you can simply get a new one and "resync" the data.

I've seen a couple of you tube things discussing the algorithms behind TOTP relatively simple algorithm, kind of elegant in the engineering sense, but repeatability depends on Time being in Sync. Anyone that's dealt with similar immediately goes "ooh, what if I'm a second fast or slow" (I know I did).

I think the real answer is that all the people that want to steal the data should really just get a stern talking to and they will understand the error of their ways and they will stop. Then they will convince others to stop stealing.

( the last paragraph was sarcasm just in case it wasn't obvious )
 
Perhaps one day Google will modernize and allow us to use asymmetric private/public keys? Maybe even one day it will be the default.
 
I wouldn't mind 2FA, if more sites actually would support a key-based authentication like a yubikey. Sadly, few sites even support using like the yubikey outside of github, gmail, and maybe ebay (There is a much larger list), but the main spots you'd want to protect isn't there. The key spots that should support it like banking and online shopping still isn't there.

SMS was a good idea when it was first implemented, the problem is that it never was designed to be secure (this was way before 2FA was a big thing). Even now days, SMS doesn't protect you when some other country can easily access the SMS network and read anything from it.
 
Lamia said:
Why would Google enforce it on selected millions of her users to start with?
Click to expand...
For the same reason that the government has decided that using a seat belt is mandatory, that houses need smoke detectors and fire sprinklers, that motorcyclists need to wear a helmet, that some of our taxes have to be used for fire fighters, that cars need to follow certain safety standards, and public drinking water needs to be germ free.

Except that the Internet doesn't have government regulation, as governments have in general been about 30 years behind the technological developments. That's why the big providers are leading the charge to make the world safer.
 
ralphbsz said:
For the same reason that the government has decided that using a seat belt is mandatory, that houses need smoke detectors and fire sprinklers, that motorcyclists need to wear a helmet, that some of our taxes have to be used for fire fighters, that cars need to follow certain safety standards, and public drinking water needs to be germ free.

Except that the Internet doesn't have government regulation, as governments have in general been about 30 years behind the technological developments. That's why the big providers are leading the charge to make the world safer.
Click to expand...

Maybe not, but they do have cybersecurity insurance that mandates these sorts of things.
 
You must log in or register to reply here.
Back
Top