Google Introduces Non-Innovative Device-Specific 2FA to Your Account
I love 2-factor authentication. I wish every account I had allowed for its use. 2-factor authentication (or “2FA”) is one of the best ways to keep your accounts secure. Google has long supported that feature, but it was generally through the use of either a code sent via SMS, or using a specific app to generate a 2nd-factor code and then typing it in when you login to Chrome or some Alphabet/Google service (or whatever uses your Google account). But starting today, you can approve account logins from a prompt on your authorized mobile device.
You can add a mobile device to your 2-step login from your account security settings under Sign-in & Security > Signing in to Google > 2-Step Verification. This works on both iOS and Android devices, provided they have a secure lock screen. You need to have the Google search app installed on iOS as well. On Android, this is all handled by Play Services (so, if you have a serious Dark Android setup device that doesn’t have the Google Play Store, you won’t be able to use this…but you probably already knew that, and you already have a solid security implementation in play, anyways).
So when you log in on a new computer or place with your Google account, Google will push an approval prompt to your chosen phone. It’s automatically the default method, and I don’t see any way to demote it if you have it turned on. If you don’t have that phone with you or there’s no data connection, you can click the alternative sign-in link to input a code as usual. If mobile device approval isn’t live for you yet, it should be in the next three days or less.
Do I recommend setting this up? It’s fine. I like codes better because you can create backup codes, and 2FA codes work offline (which I spend as much time offline as possible, personally). But the interesting thing here is that this isn’t a new security feature at all. Sure, it’s new for Google, but it’s not a new idea. Microsoft has been doing this–on Android in particular, I might add–for years with their 2FA Microsoft account app. Years. What took Google so long to catch up to the convenience train on this security feature is beyond me, it’s such a simple feature to implement, and if you’re someone that is “always connected”, as it were, it’s as effective as the 2FA codes you get in an app.
SIDE NOTE: Device-specific security verification will also soon have a contender that can work offline in the future, however (as I understand it), and this is Steve Gibson’s SQRL implementation, which uses a mobile device and QR codes, along with your PC, to replace passwords and deliver are far more secure experience overall. This is technology that I am very excited for and is very close to release.
Again, nothing to get excited about here with Google, and it really just shows how far behind the times the company is. If you haven’t setup 2-factor authentication on your accounts yet…get to it all the same.