Google To Replace SMS Codes With Mobile Prompts in 2-Step-Verification

Ecks · 07-15-2017, 02:59 AM

Starting next week Google will overhaul its two-step verification (2SV) procedure and replace one-time codes sent via SMS with prompts shown on the user's smartphone.
This change in the Google 2SV scheme comes after an increase in SS7 telephony protocol attacks that have allowed hackers to take over people's mobile phone numbers to receive one-time codes via SMS and break into user accounts. The rollout process for this feature is scheduled to start next week when Google will invite users to try mobile prompts instead of receiving a one-time code via SMS. Users need an Internet-connected smartphone to use this feature. Every time users will try to log in, Google will show a prompt on their phone asking the account owner to approve the login request. There's no one-time code that users have to fill in, and users can authorize a login request with the tap of a button.

Read More @ https://www.bleepingcomputer.com/news/go...procedure/

mothered · 07-15-2017, 06:41 AM

This doesn't prevent much. Sure It may be a little more secure, but It's not a conclusive security Implementation to prevent unauthorized access of the account.

This Is the vulnerability right here (too easy):

Quote:and users can authorize a login request with the tap of a button.

The moment It gets put Into action, Is the best time to SE the account holder. If you have their credentials, the moment you login, Immediately shoot off an SMS (via a virtual number) to the account holder assuming the role of Google's automated service (or a representative) saying something along the lines of "Your account Is almost ready. Please authorize the request and your account will be finalized".

Given It's a new feature, the majority of users are unaware of It's requirements (and exactly how It operates), therefore the SE will have a significant chance of succeeding.

JzJad · 07-15-2017, 07:46 AM

Ummmm they have already implemented this in for recovering you're account if you lose you're password, sends a prompt to you primary active phone.

mothered · 07-15-2017, 09:46 AM

(07-15-2017, 07:46 AM)JzJad Wrote: Ummmm they have already implemented this in for recovering you're account if you lose you're password, sends a prompt to you primary active phone.

From what I can make of this, It will be a mandatory feature.

As It stands now, for secondary Gmail accounts, It's not a necessity to provide a phone number as part of the recovery options.

Sikom · 07-15-2017, 09:09 PM

I have had this feature available for some time... and you said they are launching trails now?

zabo · 07-15-2017, 09:43 PM

I have this feature on my Yahoo email's and it's really convenient, it helped a lot when one of my email's got hacked.