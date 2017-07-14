Two-factor authentication is still the best way to keep yourself safe from password breaches, but some 2FAs are better than others.
Two-factor authentication has had a bad couple of weeks. Not only was a prominent developer, Justin Williams, forced to defend a phishing attack against him to PayPal and AT&T, but it's becoming increasingly clear that SMS-based two-factory authentication is a new vector for hacking.
As a result, Google is doing something about that: since SMS-based two-factor authentication is more susceptible to phishing attacks — someone could potentially intercept a text message or clone a SIM card, as is what happened with Williams — the company wants people to switch to prompt-based verification:
Starting next week, 2-SV SMS users will see an invitation to try Google prompts when they sign in. The invitation will give users a way to preview the new Google prompts sign in flow instead of SMS, and, afterward, choose whether to keep it enabled or opt-out.
Overall, this is being done because SMS text message verifications and one-time codes are more susceptible to phishing attempts by attackers. By relying on account authentication instead of SMS, administrators can be sure that their mobile policies will be enforced on the device and authentication is happening through an encrypted connection.
Basically, prompt-based verification is secure, and cannot be intercepted since it runs through Google Play Services. The only way this could potentially be a security issue is if someone steals a phone that is registered to accepts 2FA prompts from Google, but it's really easy to deregister a device from any web browser should that unfortunate event occur.
Reader comments
I switched and it's so much easier!
I use Authy, and it's so easy.
I enjoy being able to use the Google prompt to sign in, much faster than having to type the password. I just use my finger to unlock phone and hit yes.
How does this work for setting up a new phone when you don't have access to the old one?
I use prompts on my Google account, and Authy for everything else.
The problem in my case isn't a human one, it's with companies like Facebook who insist on sending SMS codes, to both my registered numbers, despite my telling them I wish to use an authenticator app.
Be nice if it always worked, but it doesn't. I have had times where I had to fall back on Authenticator to log in.
It is better BUT it never works when you install Google Drive (or the new Backup and Sync app) nor does it work with Google Play Music Manager. Luckily the code generator still works.
Hasn't this been around for a couple of months? I got invited to change from SMS a while back. Works well for me although I didn't realise that the reason for changing was that SMS is insecure. Makes sense though.
It's Google; they roll everything out in phases. You may have just been one of the early accounts who got the message, before the current bigger push.
Same here I've been using it for months. Works fine and is actually easier to get non tech savvy family members to use