Users of Google’s cloud-based suite of productivity apps may find when logging in that their usual two-factor authentication options (2FA, or 2-step verification, as Google calls it) have disappeared.
If G Suite users have previously been logging in with SMS or voice call verifications, they could now be asked to authenticate using another method such as Google’s Prompt system or a security token based on the FIDO/2.0 standards.
Hopefully, this won’t come as a surprise to users because their G Suite admins will have mentioned this change in their 2FA options to users in advance.
What lies behind the change is a new setting Google has made available in the G Suite console that for the first time gives admins the power to migrate users from one method of authentication to another.
Previously, admins could simply enable 2FA, choosing from a range of possible ways this could happen. Now, although admins can allow any type of authentication if they wish, two specific types of authentication – SMS and voice calls – can also be disallowed by policy.
From an admin point of view, the obvious worry is that users will ignore enforcement warnings that ask them to enrol in a new authentication method and find themselves locked out as a result. Google’s solution to this is enrolment reports that identify any laggards.
You can give these users extra time to enrol by putting these users into an exception group where 2SV isn’t enforced until they can add a 2SV method.
It’s a small but important tweak that’s been on the cards for a while, hastened by the dawning realisation that older forms of 2FA are not only theoretically less secure but are now under active attack.
For most users, this means SMS authentication, which can be undermined in a rising number of ways, including automated phishing attacks that just request the code (then entered by the attackers) to SIM swap fraud.
Both rapid release and scheduled release G Suite domains can expect to see this new console option in the next two weeks.