One solution is multi-factor authentication (MFA) or 2-step verification (2SV) which essentially use a login and password to access a secure site that then generates an SMS code (or another method) to verify it is you. It may add a login step, but it eliminates the use of stolen passwords and logins – unless attackers steal the mobile device as well.
Google now supports 2SV by accessing My Account and selecting Sign-in & Security > Signing in to Google > 2-Step Verification. It supports SMS codes, physical security tokens, landline calls, USB keys and more.
EIther 2SV or MFA is great because it alerts the user that their password and login has been used – it is easy to identify fraudulent use.
Chris Webber, security strategist with cybersecurity company Centrify, has welcomed news that Google is simplifying its two-step verification security process by providing in-app access authorisation.
Webber said “This move is a good step forward. It mirrors what the best enterprise MFA apps have been doing for some time. Having in-app MFA — which requires only a yes or no tap — both makes the end user experience simpler and raises the bar even further for attackers.
“Even an SMS-based code sent to a mobile device is many, many, times stronger than simply relying on username and password. Without MFA, attackers only need a stolen password, which today is very easy to get. With SMS, they need the password, and they need to socially engineer mobile carriers into redirecting text messages from the correct phone to another device. That second piece requires real effort, some skill, and a lot more time.
As we all know – there is no perfect security. But there is poor, good, and strong security – and it’s good to see we are moving away from poor password-only security, to MFA for all users.