Skip to main content

Google wants you to upgrade to (its) better two-factor authentication

Two-factor authentication has had a bad couple of weeks. Not only was a prominent developer, Justin Williams, forced to defend a phishing attack against him to PayPal and AT&T, but it's becoming increasingly clear that SMS-based two-factory authentication is a new vector for hacking.

As a result, Google is doing something about that: since SMS-based two-factor authentication is more susceptible to phishing attacks — someone could potentially intercept a text message or clone a SIM card, as is what happened with Williams — the company wants people to switch to prompt-based verification:

Starting next week, 2-SV SMS users will see an invitation to try Google prompts when they sign in. The invitation will give users a way to preview the new Google prompts sign in flow instead of SMS, and, afterward, choose whether to keep it enabled or opt-out.Overall, this is being done because SMS text message verifications and one-time codes are more susceptible to phishing attempts by attackers. By relying on account authentication instead of SMS, administrators can be sure that their mobile policies will be enforced on the device and authentication is happening through an encrypted connection.

Basically, prompt-based verification is secure, and cannot be intercepted since it runs through Google Play Services. The only way this could potentially be a security issue is if someone steals a phone that is registered to accepts 2FA prompts from Google, but it's really easy to deregister a device from any web browser should that unfortunate event occur.

Two-factor authentication: Everything you need to know

Daniel Bader was a former Android Central Editor-in-Chief and Executive Editor for iMore and Windows Central. 

  • I switched and it's so much easier!
  • Switching from windows phone this is the number one feature on Android that I love... Facebook does it also on my Android phone
  • I use Authy, and it's so easy.
  • I enjoy being able to use the Google prompt to sign in, much faster than having to type the password. I just use my finger to unlock phone and hit yes.
  • How does this work for setting up a new phone when you don't have access to the old one?
  • You can generate app passwords in your account and use those in lieu of your normal password and the 2-factor will be satisfied. After setup you can then use the normal process.
  • I use prompts on my Google account, and Authy for everything else. The problem in my case isn't a human one, it's with companies like Facebook who insist on sending SMS codes, to both my registered numbers, despite my telling them I wish to use an authenticator app.
  • I solved this by never giving fb a phone number. their app notification pop-up works fine.
  • Be nice if it always worked, but it doesn't. I have had times where I had to fall back on Authenticator to log in.
  • It is better BUT it never works when you install Google Drive (or the new Backup and Sync app) nor does it work with Google Play Music Manager. Luckily the code generator still works.
  • Hasn't this been around for a couple of months? I got invited to change from SMS a while back. Works well for me although I didn't realise that the reason for changing was that SMS is insecure. Makes sense though.
  • It's Google; they roll everything out in phases. You may have just been one of the early accounts who got the message, before the current bigger push.
  • Same here I've been using it for months. Works fine and is actually easier to get non tech savvy family members to use
  • The prompt system has been an option for a year or so. It's not new at all.
  • this used to work great, then about 6months ago it will not work at all. have since gone from a S5+ to an S8 and it still doesn't work. always end up using SMS. any ideas.....?
  • I've been getting this for many weeks now.
  • Started using this when I got my Chromebook. Much easier than waiting for, and retyping, a code.
  • I use it. I love it. Just don't used your Google voice number to authenticate
  • BUT: To be secure it needs to be TWO factor. So getting a prompt on your phone to confirm that you are logging into a secure site or App ON YOUR PHONE is not adequate.
  • If it's on YOUR phone that YOU'RE using (which should have it's own security), why would it matter? You're logging onto your own account on a device you're literally holding-- in other words, it's a trusted interaction. Unless you're loaning your phone to suspicious people, this is working as intended. You should have convenient access to your own information, from your own device(s). What you don't want is remote, unauthorized users to gain access to your information, which they shouldn't, since they don't have physical access to your device.
  • Lost or stolen phone? Finder just has to use the phone to log in using saved password. Challenge is sent to the phone being used. What is the point of sending the challenge to the phone being used? If I'm logging in to whatever site on that device then I clearly have the device in my hand. The challenge is not a second factor.
  • turning on and using two-factor does not mean it applies to all situations. this is because of smart people at Google. I doubt you can use Google Play Services 2 factor prompts without a secure device lockscreen active. which makes me consider such a protection for SMS delivered codes cannot be ensured in a similar manner--another way it is less effective.
  • If you password protect your phone with a strong pass code and use a different password for app authentication, you've essentially got 3 step verification. Verification codes don't display on the lock screen. Sms is way worse, especially if sms messages pop up on your stolen phones locks screen. The attacker doesn't even have to unlock the device.
  • But in order to log into you web account to deregister your mobile device requires 2FA which requires your mobile device. I have already experienced people locked out of critical accounts due to reliance on mobile 2FA.
  • It's never happened to me, of course I have a recovery email that I was forced to set up when switching to 2FA. If your phone gets lost or stolen, you can use the recovery email to authenticate.
  • I wish ALL of my accounts that required passwords used this method. So simple to use. If I'm logging in on a friends computer to help them resolve an issue. I never need to worry about entering a password on a strange computer. I do need to enter my user ID. But it's just my email so that's something they already have. ALSO! The prompt that asks you if you have your phone. Always has the option "Try another way of signing in" Such as "use my password"