To meet the demand for better account security, Google Ends 2FA: A Strategic Shift Towards Stronger Security. According to the sourceGoogle has announced the sunset of SMS-based two-factor authentication (2FA) is about to be discontinued for Gmail. This type of pattern exemplifies the general strategy that the tech organization has of more sophisticated and less vulnerable user authentication. This is because exposed grade attacks against SMS-based authentication (SIM-swapping, phishing, network leeched) (6-1) increased.
Once more, however, Google is announcing with minimal fanfare its commitment to user security in the form of an app, security key, and passkey-based authentication which, in the hope, will reduce the alarmingly high current rate of cyber risk.
Google Ends 2FA, although previously a security option, has gradually been considered a vulnerability to the present cyber security framework. The main difficulty is that, on top of a mobile network,” which is vulnerable to attacks and the effects this has on the outcomes, all in various ways. The most concerning vulnerabilities include:
SIM-swapping (or SIM-jacking) is a sophisticated attack in which a malicious actor uses a mobile network operator to extract a mobile subscriber’s phone number and transfer it to a new SIM. Next, the attacker can also take control when the victim answers the phone or SMS and any one-time authentication code, which is delivered over SMS. This attack surface has allowed a variety of high-volume compromised news stories, by far the most, crypto exchanges and banks.
SMS can be intercepted by cyber attackers by taking advantage of the vulnerabilities of the network infrastructure of the cellular network protocols, as well as of the SS7 (Signaling System No. 7). Security vulnerabilities of SS7, the communication network interoperability mechanism, have been identified to be susceptible to an attacker’s exploitation to eavesdrop on text message (SMS) communication. This leads to grossly insufficient SMS-based authentication (e.g., for sensitive input).
Phicker attackers have shifted their attacks to allow the revocation of SMS-based authentication. Using fake login forms and social engineering, they trick their victims into giving them these SMS codes willingly. Multiphishing attacks, initially starting with compromission at the email account and then phishing at the phishing authentication by SMS, have led to a continuously rising success rate.
SMS-based authentication is a fortiori a network-of-things system that relies on an exclusive active mobile network system. People traveling around the globe or in the outback, or users with interruption of the network might become locked out of the account because of the undeliverable authentication codes. Further, SMS authentication is not available for people behind a VoIP number or for temporary burner phones, thereby raising the uncertainty of its effectiveness.
Google’s decision to no longer utilize SMS as a channel for, for example, authentication, follows a trend in the industry, which leans heavily on the development of more secure security practices. At the company, authentication tasks are highly promoted as a way to compensate for the shortcomings of SMS and to improve the usefulness and security of SMSm. Key alternatives include:
Other applications generate ephemeral, single-use, passwords (TOTPs) that are available on the device but rather not transmitted to the network. About the practical use of this approach, the risk of interception is greatly minimized, since the authentication codes are not encoded to be easily intercepted. Furthermore, because TOTP is calibrated with the authentication server using the same shared secret key between an app and the authentication server, TOTP can assure a more secure authentication channel than SMS.
Google has vigorously promoted the Fast Identity Online (FIDO2) specification, which can be used for authentication by hardware security keys. Items such as Google Titan Security Key employ cryptographically-based challenge-response authentication to prevent phishing, cloning, and interception of log-in credentials. As they rely on asymmetric encryptions where the private key is physically encoded on the device under study, the keys can not be captured by remote means.
To ensure a sustained security posture, Google recommends passwordless authentication (i.e., passkeys). Passwords are authenticated by fingerprint or face recognition biometrics and/or device-based authentication techniques, to circumvent password or SMS-based authentication to access a device. The solution to this problem in a significant way reduces the risk of credential theft and the need for the user to memorize a long password in the mind.
Google Prompt, an SMS 2FA alternative, delivers a push notification to the user’s trusted device prompting them to confirm or deny a login attempt. In contrast to SMS, in this technique, the security against attacks is higher as it has been demonstrated both on a real device (i.e. realizing a manipulated device coded to be sensitive to eavesdropping) and through an attack code instead of applying an encoding of an attacked device.
Google has announced the shutdown of SMS based auth, and as a result, this has already prompted millions of Gmail users to migrate to more secure auth mechanisms. At first glance, it might appear superficially a somewhat awkward situation, but future security and usability benefits are millions of times more significant than the immediate frustration derived from it. Users are strongly encouraged to:
Aside from Gmail, the Google action signifies a general industry movement towards decoupling from standard authentication models. For example, computer science students such as Microsoft and Apple have been able to very naturally continue extending the trend of discarding text message-based authentication systems and building a new generation of phishing-resistant security infrastructure. With greater attention to the need for enhanced digital identity security in the short term, change is going to pick up speed in the coming years.
The death of authentication via SMS in Gmail is a carefully considered and empowering step towards enhanced user security. By SMS-based authentication (simPLC) weakness (e.g., SIM-swapping, phishing, or network-based interception), SMS-based authentication is currently viewed as an unsafe authentication scheme. By promoting app-based authentication, security keys, and passwordless login, Google is charting a course that is in step with cutting-edge industry standards and is developing a new model of online security.
With cyber-attacks becoming stranger and more intelligent, it’s imperative for organizations as well as individuals to also utilize more secure authentication schemes for the protection of digital belongings. Google’s drive establishes an unassailable battle cry to engage in stopping yesterday’s paradigm from being replaced by the sturdy, malleable technology of the day, the technology that will provide the internet experience that all users should be able to enjoy.
