Google Inc. is pushing users to switch from messaging-based two-step login verification to a phone-based service instead as a way to bypass the security risks of Simple Messaging Service authentication services.
Beginning this week, Google will invite users of its existing so-called SMS 2-SV service to use a different login method. The alternative service, known as Google Prompt, was launched in 2016 and uses a pop-up push notification that allows users to verify logging into their Google account by simply selecting “yes: from the screen. That’s in contrast to the SMS method, which required a security code to confirm a login.
“Overall, this is being done because SMS text message verification and one-time codes are more susceptible to phishing attempts by attackers,” Google said in a blog post. “By relying on account authentication instead of SMS, administrators can be sure that their mobile policies will be enforced on the device and authentication is happening through an encrypted connection.”
Security issues with SMS authentication services such as Google’s 2-SV and more traditional two-factor authentication services were first highlighted it a report from the National Institute of Standards and Technology in August 2016. It recommended that 2fa SMS systems not be used because of their inherent insecurity.
The problem relates to the ability of hackers to intercept SMS messages sent to phones. Highlighting the risk involved, two high-profile cases in the last 12 months used different methods to intercept SMS messages used for 2fa purposes.
The first case, in December 2016, saw hackers fake the identity of Colombian man, then using the information to transfer his mobile phone number from T-Mobile to another carrier linked to a Google Voice account. Then the hackers intercepted SMS 2fa messages and stole funds from the man’s bitcoin account. In a second case in May, hackers in Germany exploited a known vulnerability in mobile phone network systems to listen to private phone calls and intercept text messages. Then they drained money from a victim’s bank account.
Rep. Ted Lieu (D-California) at the time of the last hack put the security issue simply: “2FA is screwed,” he said, and “everyone’s accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk.”
Users of Android phones have support for the Google Prompt system built into their phones. Apple iPhone users must install the Google Search app on their phones to gain access.