back to article Google slides text message 2FA a little closer to the door

Text messages aren't a great way to implement two-factor authentication, but it's a technique that's stubbornly persistent. Now Google has decided to push things along by pushing its alternative into production. The Chocolate Factory's alternative is called "Google Prompt". Instead of sending users a one-time code in a text …

  1. nagyeger

    embrace... extend... bloat?

    So instead of an out of band unreliable message that works on every mobile phone, those with no smart-phone are left in the cold, those with an ageing phone barely enough spare storage (after all the decent bloating of apps /OS) to run what they want get to give up some more precious MB, and everyone gets pushed into installing another piece of google spy/bloat-ware which needs to regularly contact home and report on us just-in-case....

    Is this supposed to be an extension to the otp authenticator app? Google's version is already bigger than the free versions.

    1. Malcolm 1

      Re: embrace... extend... bloat?

      I think I have this enabled on my phone (I certainly get that sort of 2FA prompt when logging into google services). But I don't have the google Authenticator app installed so I think it must be part of the "Google" app or similar.

    2. Test Man

      Re: embrace... extend... bloat?

      Sounds like you didn't read it properly.

      The real story here - Google are defaulting to Google Prompt. Text 2FA is still an option, and will be for some time.

    3. Dave_uk
      Alert

      Re: embrace... extend... bloat?

      Why are so many down-voting nagyeger? Are they SO SHORT-MINDED! Wake up people.

      1. Halfmad

        Re: embrace... extend... bloat?

        Because he/she is incorrect, this is still a text being used, just in a different way.

      2. RyokuMas
        Big Brother

        Re: embrace... extend... bloat?

        Because those who do not remember the past are doomed to repeat it.

        As with Microsoft around 20 years ago, Google has achieved a massive land-grab in an area that has grown to an essential part of how we use computers - they are now using this position to try and leverage control is as many areas as possible, including astroturfing, FUD-spreading and all the other dubious tactics that we saw the best part of two decades ago.

        The worrying part in this is that where Microsoft looked to control our PCs and the applications we ran, Google is wants to control the flow of information both too and from us - to know as much as possible about who we are and what we do, and let us see what they want us to see. I can see a time coming when nobody dare oppose Google, lest information on any of their past misdemeanours suddenly rise to prominence on web search results - or possibly a more public airing of their dirty laundry, as Google and Microsoft are currently doing to each other.

        So yes, you have those that actively support Google (for whatever motivation), and another group who are just simply repeating history.

        1. anthonyhegedus Silver badge

          Re: embrace... extend... bloat?

          "... including astroturfing, FUD-spreading and all the other dubious tactics that we saw the best part of two decades ago." - OK I had to look up FUD (Fear, Uncertainty, Doubt) but I really can't be bothered to look up Astroturfing.

          The only thing missing from that post is the phrase "Wake up, sheeple!". Just another paranoid person, nothing to see here.

        2. Charlie Clark Silver badge
          Black Helicopters

          Re: embrace... extend... bloat?

          I can see a time coming when nobody dare oppose Google, lest information on any of their past misdemeanours…

          Oh come on, you can do better than that! The risk with Google, as with any gatekeeper, is that they might at some point deny you access. Yes, they collect the metadata but, in terms of accessing Google services like GMail, the contents of the e-mails are a much richer vein.

          As usual, anti-trust regulation is the way to manage these companies. And, also as usual, this is an area where the US traditionally fails.

    4. This post has been deleted by its author

    5. Fan of Mr. Obvious

      Re: embrace... extend... bloat?

      If someone does not have a smart phone, can't come up with enough room to install something to help protect their accounts, or has such an old OS that the app won't run (added this one for ya) then 2FA of any kind is likely not something that is needed.

      No smart phone? Likely not using online accounts that need to be protect via 2FA. If you need 2FA and don't own a smart phone, you should rethink your approach.

      No room to install authenticator? You are too stupid to know how to use 2FA and are getting owned no matter what you do.

      OS does not support authenticator? You phone is already owned and you are too stupid to know it.

    6. fruitoftheloon
      Stop

      @nagyeger: Re: embrace... extend... bloat?

      Big G's new idea may not be perfect, BUT some of us who live in the country have shite mobile signal at home, plus the walls of our house are 2-3 ft thick.

      Bizarrely Visa have introduced sms 2fa for my wife's account - she doesn't get ANY signal at all near the house.

      The net result of which is that visa won't get used as much in our household - silver lining etc.

      Cheers,

      Jay.

      1. Anonymous Coward
        Anonymous Coward

        Re: @nagyeger: embrace... extend... bloat?

        some of us who live in the country have shite mobile signal at home

        And this affects more than a few in towns. The other downside to any form of SMS authentication (however it is implemented) is that SMS is not 100% reliable as an immediate service. I've often had family members send me a text that arrives on my phone hours and very occasionally days later. I've even seen an SMS arrive eighteen months after it was sent (and the sender had died in the meanwhile, although I suspect a MNO server SNAFU was responsible for that.

  2. Anonymous Coward
    Anonymous Coward

    Text messages aren't a great way to implement two-factor authentication

    I disagree, given most people are too dumb to have any 2FA at all, text message is functional and convenient and a million times better than nothing

    1. Charlie Clark Silver badge

      Re: Text messages aren't a great way to implement two-factor authentication

      Their ubiquity makes them better than nothing but, from a security perspective, they're not safe. As a result you might as well just inform the users that someone's logged in so they than can take remedial action if necessary.

      Horses for courses and text-based 2FA can at least be credited with raising awareness a bit. Could be even better if the SMS protocol was updated to include better encryption. But that's likely to hit the same problems as with e-mail: the lowest common denominator wins.

    2. Tigra 07

      Re: AC

      I agree. But...I think the logic is that it's a half measure. If you're gonna increase security you don't choose something else that's insecure.

      This is the equivalent of moving your written down passwords from the sticky note on your monitor, to a locked drawer next to it...It's marginally more secure, but could be better.

    3. rh587

      Re: Text messages aren't a great way to implement two-factor authentication

      I disagree, given most people are too dumb to have any 2FA at all, text message is functional and convenient and a million times better than nothing

      I thought that when I first dipped my toe into 2FA. Didn't want to install an app.

      Turns out there's a couple of places at work with cellular dead-spots. It became somewhat tiresome to have to step out into the corridor to get an SMS code, so I installed Authy and haven't looked back!

      Yes it's better than nothing, but if you've convinced someone to bother setting up 2FA in the first place, get a HOTP/TOTP app on there instead of half-arsing it.

    4. gnarlymarley

      Re: Text messages aren't a great way to implement two-factor authentication

      given most people are too dumb

      So, for folks like me that do not have text messaging or a web-enabled phone, google is now trying to find something that can force me onto their "fake security" band wagon.

  3. This post has been deleted by its author

    1. Robert Carnegie Silver badge

      I think 2FA by text works by sending a random code as a message to your mobile number. You must input this code in your process of logging in, but you don't have to send a text back?

      1. This post has been deleted by its author

        1. Graham Dawson Silver badge

          The article is wrong. Google sends a coda via text which you enter as part of the log-in process.

          The insecurity stems from the fact that it's possible - however remotely - to intercept the content of that text.

        2. Pascal

          "The article says Google now has a system where you have to reply to a text. The act of replying acts as the validation in the server - there is no code to input"

          No SMS or reply.

          Their new method sends a push notification to the app. The app then prompts the user somehow ("Looks like someone's trying to log into your account from *location*. Is that you?", with allow / block buttons). Upon pressing allow/block, the app calls a Google API to complete the process.

          So yeah it's a 2-way street but it's data communications, not SMS, which is the hey as SMS has been proven to be vulnerable to SS7 and it was effectively exploited in the wild already.

          End result is extra security because push notification subscription are "secure" (only the owner of the app can push to a specific phone/installation and no known hiijaking of that has happened yet) and the specific install on a phone is the only owner of the key necessary to sign the response message (the public part of which is sent to Google as part of the enrollment process).

          In the end it's one more tool in the 2FA toolkit. Google aren't forcing this, they're offering it as a more secure version of SMS. You can still use authenticators that don't require sms or data connections.

  4. Dan 55 Silver badge

    Slight problem?

    1. Enter user name on fantastic new shiny promptless gmail on stolen phone (user name available from accounts list in settings).

    2. Google Prompt app pops up.

    3. "Why yes, I am trying to log on."

    4. Profit!

    (Same problem as with SMS by the way.)

    1. Fuzz

      Re: Slight problem?

      The prompt unlock requires a screen lock to be enabled on the phone so a thief needs to be able to defeat that.

      This is better than SMS where the thief can move the sim card to another phone to receive the 2FA code.

      1. dajames

        Re: Slight problem?

        ... SMS where the thief can move the sim card to another phone to receive the 2FA code.

        Unless, of course, the SIM card is PIN-locked ... which is probably a good idea in any case.

        1. The Mole

          Re: Slight problem?

          For many people android conveniently shows you your notifications (including new SMS messages) on the lock screen - no unlocking of phone or moving of SIM needed.

        2. Anonymous Coward
          Anonymous Coward

          Re: Slight problem?

          IMO PIN locking is probably bad for more people-- I PUKed my first SIM back at the end of 2005, just trying to find out what different menu items did, not knowing what I was doing or being warned by the dumb phone in any way. But now it seems that more often SIMs are IMEI-locked by the network, so you have to tell your carrier every time you switch phones, so nobody can get your 2FA texts on their phone that isn't screen-locked.

          P.S. If you don't have a proper screen lock, then it's already over and you're just waiting for the worms to come. If you're stuck using (being used by?) Android, and in response to those who claim it's just readable: make sure you 'Hide sensitive notifications' so nobody can just read your texts anyway, without your pattern/pin/fingerprint/etc....

          P.P.S. If PIN locking the SIM is not terribly inconvenient, then I'd rather go that route than have the dumb carrier need to approve my IMEI every time-- but then, can I tell my carrier to lift that restriction because I already take responsibility for my own SIM's security? Probably not. And if there are any that still allow swapping SIMs around, are they the right carrier for all the other reasons I might want? IMEI liberty is not a very strong selling point... hate it. Hate the whole mess.

      2. Tigra 07

        Re: Slight problem?

        It would be pointless to send the code as SMS since that code will be visible on the lock screen of the unlocked phone...

    2. Anonymous Coward
      Anonymous Coward

      Re: Slight problem?

      The phone thief would also need to know the password, before the app even asked for confirmation. This is a form of 2FA, not 1FA!

    3. DropBear

      Re: Slight problem?

      Is there even any sort of 2FA where the question of "which two things do you need for access" can't be depressingly answered by "just the phone..." ? I mean, outside dedicated hardware tokens...?

      1. Dan 55 Silver badge

        Re: Slight problem?

        Yes, Yahoo Account Key. I thought this was similar, and obviously I'm wrong.

        1. Anonymous Coward
          Anonymous Coward

          Re: Slight problem?

          "Yes, Yahoo Account Key."

          Yeah and what a royal PITA that is when you don't have your smartphone with you.

    4. Tom 38

      Re: Slight problem?

      Same problem with SMS, but same problem with hardware token. Steal or gain access to the token granting service (whatever it is) and security is reduced.

      PS: Missing step 1.5: Enter password

    5. rh587

      Re: Slight problem?

      1. Enter user name on fantastic new shiny promptless gmail on stolen phone (user name available from accounts list in settings).

      You're missing the point.

      If they have your end-device then you're screwed anyway. 2FA offers protection against unauthorised logins using stolen credentials, either for a specific service or where you've been negligent and endangered multiple accounts by reusing a (now-stolen) password across multiple services - the sort of stuff Troy Hunt warns about on HIBP.

      If the device is gone, then you would hope that the PIN protection will stop them actually using the phone or accessing the 2FA app until you can login into FindMyiPhone/Android Equivalent and kill it remotely.

      1. Adam 1

        Re: Slight problem?

        @rh587, fixing password reuse between services does not require 2FA to solve. It just requires users to think through the consequences of one of their services being hacked* and therefore leaking credentials from an otherwise unexposed service.

        What I see as really problematic is the number of apps that think it acceptable to have "can read SMS" tokens. This is presumably on the premise of their internal logic to hook up a specific app install to a phone number of the account claimed. All the TFA messages from my bank originate from the same number. So a less than ethical app can monitor my messages for a token code, then trigger a fake sign in prompt on the device to get the credentials, giving them a 5-10 minute window to strike**. That is why I never do banking from a mobile device. It is my second factor. The same thing cannot be both without at least partially*** compromising your security. Also remember that we are only two years since the android lock screen bug that I let someone bypass the lock screen on lollipop. Imagine what that does for pretty much any banking app's security...

        *Or more probably leaving a backup file on a public facing webserver or using mongodbs "terrific" no security by default config.

        **Hint, it isn't rocket science to inform the user that the service is down, try again later.

        ***In spite of these flaws, it is a marked improvement over SFA. (Pun intended)

  5. Anonymous Coward
    Anonymous Coward

    Or use TOTP / HOTP

    If the idea is to verify, as the second factor, something you 'have' (ie the phone), then a TOTP or HOTP generated number will work, even if you don't have a data connection for the phone.

    Quite useful when you are working overseas or when the SMS service is slow (or as per the article, untrusted).

    1. Dr Who

      Re: Or use TOTP / HOTP

      For those of you who like me think top of the pops when they see TOTP I'll save you a google.

      Time based one time password

      HMAC based one time password

      1. Anonymous Coward
        Anonymous Coward

        Re: Or use TOTP / HOTP

        I see OTT and can't think of anything else other than the balloon dance.

      2. iron Silver badge

        Re: Or use TOTP / HOTP

        Helpful but wtf does HMAC mean? Do I need a password to adjust the AC?

  6. Anonymous Coward
    Anonymous Coward

    Feature creap?

    Who wants to bet against this not tracking everything you do later down the road...if it doesn't already?Anyone?

    Is it going to become yet another component of the nasty binary blob that you can't get rid of, one that is "essential"?

  7. Anonymous Coward
    Anonymous Coward

    No app needed. I've been using Googles 2FA for a while now and all it does is use Android OS to pop up a window asking if it's you trying to login. I didn't install any app - it was just something ticked in Google Play (I think..).

    1. John Latham

      The app is "Google Play services".

  8. Tigra 07
    Meh

    Good idea, bad implementation

    I had to disable this as it takes ages for the prompt on my work computer and by the time it comes through it's timed out.

    Works fine at home...

  9. RyokuMas
    WTF?

    Hmmm....

    This feels like yet another attempt from Google to switch people from something well established onto something the can control under the disguise of security and altruism, but given this is to log into a Google account, I cannot see what advantage this would give them...

  10. Adrian 4

    Why does it matter ?

    Surely, if you're using gmail, you don't have any expectations of privacy ?

    Not that I don't use it myself. I just assume some{one,thing} else reads it.

    1. Steve Davies 3 Silver badge

      Re: Why does it matter ?

      If you are doing anything that involves Google any thought of Privacy went out the door along with the Horse.

  11. Anonymous Coward
    Anonymous Coward

    There's no need to install more spyware, thanks.

    The starting issue is that email retrieval is typically automated. Your device polls frequently (or gets a push message), and for that to work it needs a password - one that you must make as difficult as possible, because it's used quite often. In this context, being asked for an additional manual password every 5 minutes will make you abandon that idea in, hmm, 30 minutes or so, so you automate a second authentication stream and that's where the problem starts.

    Changing that mechanism means you're venturing outside RFC domain into the sort of proprietary places when the likes of Google, Microsoft et all would LOVE you to be because it would this pesky habit of people to also use other facilities that do not contribute to the great God of Profit and would, instead, empower The Evil Of Honest Competition.

    If the mechanism is left open to follow, for instance, Time based OTP as provided by practically any OTP app such as Google Authenticator and many others, maybe there is scope for wider adoption, but before you engage in all that hassle, here's a tiny problem:

    You. do. not. need. it.

    I have a few test email accounts that genuinely have the account password "password", and have had it for years because I'm proving a point. You will not get in, yet those accounts are all polled with a frequency somewhere between 5 and 15 minutes from three separate devices. They also get dictionary attacks, which bounce. If you really KNOW about email, dictionary attacks are trivial to prevent, even from the sort of distributed botnets that are used to prevent triggering things like fail2ban. There is a time and place for 2FA, but it's not for picking up IMAP or sending SMTP.

    But hey, let's just install yet another bit of spyware..

    1. David Nash Silver badge

      Re: There's no need to install more spyware, thanks.

      "I have a few test email accounts that genuinely have the account password "password", and have had it for years because I'm proving a point. You will not get in"

      Genuine question, can you provide a clue to how that's done please?

      1. verno

        Re: There's no need to install more spyware, thanks.

        Yep I too would like to know..

        1. Anonymous Coward
          Anonymous Coward

          Re: There's no need to install more spyware, thanks.

          Well it repels dictionary attacks apparently and "password" would probably be amongst the first 3 in a "by-popularity" ordered list. I'm guessing whitelist of authorised IPs/machine name/whatever.

      2. Anonymous Coward
        Anonymous Coward

        Re: There's no need to install more spyware, thanks.

        Genuine question, can you provide a clue to how that's done please?

        Not yet, but I think this will go public in a few months anyway. We consult on high grade email security, so me jumping the gun would not be a popular move, even though most of the techniques we use are mine to begin with :).

    2. Throatwarbler Mangrove Silver badge
      FAIL

      Re: There's no need to install more spyware, thanks.

      Another geek completely misses the point. Most GMail users use the Web interface, not an email client, so literally everything else you typed is pointless. The 2FA mechanism would be used when launching the browser window for the first time or whenever the login times out. Performing authentication via IMAP or SMTP would presumably not cause a prompt for secondary authentication.

      1. Anonymous Coward
        Anonymous Coward

        Re: There's no need to install more spyware, thanks.

        Another geek completely misses the point. Most GMail users use the Web interface, not an email client, so literally everything else you typed is pointless. The 2FA mechanism would be used when launching the browser window for the first time or whenever the login times out. Performing authentication via IMAP or SMTP would presumably not cause a prompt for secondary authentication.

        Ah, so your contention is that users would use their IMAP/SMTP password, but with extra 2FA added so their could log in on a browser? In other words, whoever snags the UID and password can use IMAP instead to access their account, while users feel "safe" because they now suffer the extra hassle of 2FA?

        I have been through this: your next suggestion will be to then use a different password for webmail, at which point the question arises: why stop there? Why not not set a 3rd password then for law enforcement or spy access, read-only so it doesn't trip any read flags? Google is too operationally opaque to trust them not to do this. In addition, you now have two passwords per user plus the TOTP seed that need management, support etc.

        Been there, done that, got the T shirt and user feedback, abandoned it because of usability issues and dangerous false sense of security.

        Don't get me wrong, I like TOTP on manual logins (I don't think I have any web logins left without it), but it strongly depends on your audience if they're willing to play ball and suffer the inconvenience, and you'll need to get creative on the password front because there's another problem: people who use webmail tend to pick easy passwords so they can remember them..

  12. rh587

    The Chocolate Factory's alternative is called "Google Prompt". Instead of sending users a one-time code in a text message, it asks users if they are trying to sign in. If they are, in they go. If they're not expecting the login prompt, down come the shutters.

    Probably worth noting it's not their alternative. A few providers - including Symantec VIP have been using "Push Authentication Requests" in their 2FA app for years now.

    I can't say if it was Symantec's idea originally, that's just the one I've had to use to get into a client's systems on occasion. I was more than a bit spooky the first time I logged in (phone on 4G, not the office wifi) and having entered user/password on the desktop, the phone buzzed, I pressed "yes" and the login screen on my desktop magically changed to the service control panel. Clever stuff.

    Works quite well, provided you've got a decent data connection on your phone.

  13. Anonymous Coward
    Anonymous Coward

    Will someone please think of the badgers

  14. Anonymous Coward
    Anonymous Coward

    Hasn't this been around for literally years already? Seems like it's been quite a while.

  15. IGnatius T Foobar
    FAIL

    Compromise via SS7?!

    Last month, Positive Technologies named gmail as one service still vulnerable to compromise via SS7.

    So to intercept a login you have to compromise both the site being logged into, and the telephone network itself? That's not easy. In fact, it's far easier to compromise the mark's IP network than it is to compromise his mobile provider.

    1. Dan 55 Silver badge

      Re: Compromise via SS7?!

      Isn't the point about SS7 vulnerabilities is that you can compromise any mobile provider on the planet, it doesn't have to be your target's mobile provider.

      Just head for a country where corruption is the normal.

  16. Anonymous Coward
    Anonymous Coward

    What happens when your phone dies?

    Today's lesson: Print out those backup codes people! Just don't put them on a postit under your keyboard...

    Why? Phones die, and the authenticator apps they contain have unique IDs.

    1. Your phone dies, and the RSA/VIP/Google Auth apps you have installed die with it.

    2. You get your new phone, pop in the SIM, and you are on the phone network again. You reinstall your apps, or restore from backup, at your choice

    3. The IDs of the authenticators you installed are *not* restored. Thus, all those sites that used them don;t know it's really you.

    4. Hilarity ensues. You can't log in to say that your authenticator has changed without an authenticator!

    For now, the sites where I use app based 2FA have backup codes I can print out ahead of time, or a customer service line. But if you are not careful, you can get completely broken.

    1. Anonymous Coward
      Anonymous Coward

      Re: What happens when your phone dies?

      Thanks for pointing this out. Yes, the phone can die, be stolen, or misplaced, and the authenticators would become a problem. SMS-OTP is very popular, I think it can have some simple fix, that is easier than to fix the user-experience problem of authenticators.

  17. Anonymous Coward
    Anonymous Coward

    And if you dont have a mobile phone?

    no apps

    no sms

    no 2FA?

  18. Anonymous Coward
    Anonymous Coward

    And what happens when the bad guys redirect your calls?

    Presumably no improvement when that happens?

  19. Anonymous Coward
    Anonymous Coward

    Authy

    ... Has had this for years.

  20. cream wobbly

    TXT-based 2FA?

    SMS. You're thinking of the file name extension. Different things, deary.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like