Google wants you to bid farewell to SMS authentication

Google’s campaign to nudge its vast user base towards  more secure two-step (2SV) and two-factor (2FA) authentication continues: from this week anyone logging into its services using SMS codes will start receiving notifications from something called “Google prompt”.

When the user initiates login, a screen will appear on their Android smartphone (iOS users must install the Google Search app) asking them to confirm that they are trying to sign in, with information on the device, browser type and ISP location. The screen clears when the user confirms the login was made by them.

For users who’ve never heard of Google prompt, it’s an authentication option the company launched in June 2016 as a more secure alternative to receiving codes via SMS. Some users might also find it quicker than generating codes using the Authenticator app, as explained below.

Naked Security has already published a pro and con comparison of SMS text authentication versus using the Authenticator app, so we won’t delve into that too deeply.  The question is how Prompt improves on either of those options.

Prompt is primarily aimed at overcoming the growing insecurity of SMS codes. These can be grabbed by malicious apps in a man-in-the middle attack and, of course, there’s the alarming rise of SIM swap fraud, also recently covered by us in some depth.

The takeaway is that while SMS codes are better than nothing, they’re no longer considered as secure as they once were. Confirmation of SMS’s troubled status was confirmed last summer by NIST, which  recommended US government departments stop relying on it.

The weakness of SMS is that data travels across a channel not controlled by Google itself.  With prompt, data is still being sent back and forth, but using an encrypted channel.  As long as the phone is within reach of a data connection, the user will also receive a real time warning every time someone – anyone – attempts to log into their Google account.

The other advantage of this is that it’s quicker to hit “yes” when prompted than it is to enter an SMS code or, in the case of Google Authenticator, a six-digit code. However, Authenticator (which requires no insecure data to and fro once it’s been set up) is still the best choice for anyone who uses 2-step verification to log into third-party sites in addition to Google.

Users who insist on sticking with SMS codes won’t be forced to adopt prompt immediately but the direction of travel here is pretty clear: SMS’s days are numbered, on Google at least.

Longer term, the main hurdle to changing people’s authentication habits could simply be confusion. The inadequacy of passwords is now understood but the fact Google is now offering five authentication options (including hardware tokens such as the YubiKey and single-use “emergency” codes) risks overload.

Over at Facebook, things are almost as confusing with additional options offered such as logging in using a profile picture and nominating trusted users to help access an account.

That many people have accounts with several services, each with their own blend of options, only adds to the impression that seamless authentication security for the post-password world is still some way off.