Ever fumble when you’re typing in a verification code sent to your phone or burbled up from Google Authenticator?
Here’s some relief for the fat-fingered: Google’s just made two-step verification (2SV) a lot less aggravating.
As the company announced on Monday, you can now get prompts pushed to your phone that ask whether you’re trying to log in from a given device.
Answering that prompt has just gotten a lot more simple than typing in a 6-number code: just grab your phone (yes, you still have to grab your phone, turn it on, and make sure you’ve got connectivity; this isn’t entirely effortless) and make one simple button stab, choosing Yes or No to allowing sign-in.
The prompt brings up a simple dialog that shows your name, profile image, and the specific city and device you’re trying to log-in from. Underneath, Google gives you two options to approve or deny the sign-in request: “No, deny sign-in” or “Yes, allow sign-in.”
This is the third way Google provides to approve sign-in requests by 2SV, the others being by tapping a Security Key or by entering a verification code sent to a phone.
To enable 2SV via prompts, go to the Sign-in & Security > Signing in to Google > 2-Step Verification section of My Account.
You can keep on using the Google Authenticator app, text message, or a variety of previous methods, but Google notes that you can’t have both the Google Prompt and a Security Key enabled at the same time.
The prompt feature will be rolling out through Wednesday. Android users will need the most recent version of Google Play Services to turn it on.
iOS users will need the Google Search app installed on their phone to use Google prompt.
Google says it will soon update its Help Center with more instructions.
Given that the new 2SV prompt is a part of Play Services, virtually all Android users will soon get this super simple access to multi-factor authentication.
That’s a very good thing.
Multifactor authentication – what’s also known as 2SV or two-factor authentication (2FA) – can help where other forms of authentication, such as passwords, fall down.
As the yearly lists of the top bad passwords show, passwords are often the weakest link in the authentication chain, given that many people don’t use passwords that are complex enough.
Others reuse passwords, setting themselves up for account break-ins when online crooks acquire logins from breaches or third-party sites, such as happened to Fitbit.
Even complex passwords can be susceptible to brute-force attack: we saw that when researchers managed to pry 18,000 Bitcoiners’ passwords out of their wallets, running the attack off a mere $55 worth of Amazon Server.
Besides the 2SV prompt, Google has made other plans to kill passwords by year’s end.
That includes supplanting passwords with a feature called the Trust API that would mix together weaker indicators – including biometrics – into something called a Trust Score.
If all works out as Google hopes, that Trust Score will prove you are who you say you are.
In the meantime, any (secure) changes that make two-factor authentication easier for more people to use are a welcome thing.
Mind you, 2FA/2SV isn’t foolproof. We found out last week that a bit of social engineering and the last four digits of somebody’s taxpayer ID can let crooks trick phone carriers into resetting a phone’s SIM and thereby intercepting the codes sent via SMS to the device.
But while it’s not foolproof, two-factor authentication is still a good, solid step to take to keep intercepted logins from being used to take over your accounts.
And heaven knows that in these days of mega breaches, there are a ghastly number of those pilfered logins out there!