Google rolled out its new 2-step verification process called prompt in July 2016. The aim of the tool was to allow users to turn on a second factor of authentication without relying on text messages. Text messages can be easily hijacked if an attacker acquires the mobile phone number, plus entering a texted code into a web form can be kludgy. Prompt’s objective is to simplify the process of 2-factor authentication (2FA) and enhance security.
Prompt has undergone a few changes since it was announced in 2016. First, in February 2017 Google revamped the service through “improvements to the notifications” users receive, such as providing detailed information about sign-in requests, and giving users the ability to block unauthorized access. In subsequent months, the company made further attempts to lure 2-Step Verification (2-SV) SMS users to try prompt instead. In a release on the GSuite Updates sites, Google explained that “SMS text message verifications and one-time codes are more susceptible to phishing attempts by attackers.” By using account authentication, they said, users can feel confident that local mobile device security policies will be enforced and that authentication is verified through encrypted channels (prompt requires a data connection to function).
As of mid-October 2017, Google announced that prompt will be the default authentication method for users who select 2-factor authentication. This is a positive step; making it easier for users to inch closer to enabling enhanced security features is a proven mechanism for adoption. The concern? The fact that this is Google’s fourth attempt to attract users to prompt, and that they’re focused mainly on current 2FA users. Though statistics on prompt usage are not readily available, it’s a good guess that adoption hasn’t seen any sharp increases since its introduction in July 2016 (otherwise, why would Google make this most recent change?).
Man, it’s a hot one
Over the years we’ve watched as consumer-oriented services like Facebook, Twitter, LinkedIn, Instagram, Dropbox, and a host of other popular apps and websites have gently nudged consumers to implement some form of 2FA. Two-factor authentication is one excellent method of foiling attackers by removing low-hanging fruit, but judging from all the successful phishing attacks in recent years, 2FA is far from anyone’s default. As reported recently by CSOOnline, "The problem with two-step verification is that it requires a user to turn it on. Most users are either unaware of this or too lazy to spend 5 minutes to flip the two-step switch on for their email account."
Enterprise security practitioners might be more concerned with enterprise usage and systems, but consumerism is not disconnected from enterprise usage in today’s tech gadget landscape. Plus we all saw how BYOD, which started by targeting consumers (who may also be enterprise users), shaped the way enterprises operate. Therefore, targeting consumers is a noble cause, and one that has potential to shift consumer behavior in the workplace. That isn’t happening yet, though.
Nor is the inverse. Enterprises, overall, have not been diligent about moving employees toward 2FA. According to a survey by identity management vendor SecureAuth, “56% of organizations are using 2FA in some capacity.” “Some capacity…” Also, given the vendor’s database and likely respondents to their survey, it’s possible that SecureAuth is fishing in its own pond, so to speak.
Instead of the soft-shoe approach, Google, among others that offer 2FA for consumer devices and services, should be elevating awareness of additional forms of authentication and verification. Instead of sending invitations to current 2FA/2-SV users, Google should be sending notifications to all users (for the record, prompt is also available to iOS users who install Google Play). Preaching to converts won’t grow adoption. Letting non-users know about 2FA and how easy it is to implement, though, is likely to have a greater impact.
Like seven inches from the midday sun
Two-factor/two-step authentication has been around for too long—as a proven-effective security measure—for adoption to be so low. Companies handling consumer/employee/user data need to get serious about increasing usage. In fairness, users should be more dedicated to securing their own data, too. We know, though, that the average consumer won’t adopt something unless they find it personally beneficial. It’s why billions of dollars are spent every year on advertising and marketing campaigns—to draw consumers to products and services that make their lives better/more productive/healthier/happier/etc. Companies—tech and enterprises collecting/storing/using consumer data—need to consider the business benefits, the competitive advantages, of rolling out 2FA to users and start incorporating security messaging into mainstream campaigns.
It’s not enough for the information security community, along with a scant few disciples, to see, read, and share these messages. With all the high-visibility breaches in the news, and the clean-up costs associated with remediating a breach, security needs to be a feature of products and services that is turned on by default. It’s easier said than done, of course, but it’s well past time to make 2FA ubiquitous.
 According to the Ponemon/IBM “2017 Cost of Data Breach,” companies spend an average of $3.62 million USD per breach
Learn more about phishing mitigation techniques, identity and access management, and end-user awareness at InfoSec World 2018 in Orlando, Florida, March 19-21, 2018.