G Suite admins can now ban staff from using insecure SMS for two-factor authentication
- 15 March, 2019 08:26
Google is rolling out an update for its G Suite business products that lets admins disable the use of SMS and voice verifications codes for 2-factor authentication.
Google for its part recommends organizations use hardware security keys such as its Titan keys or Yubico’s keys, however the company says it introduced the ability to block SMS verification due to demand from admins who are increasingly aware of the weaknesses in relying on SMS.
“As awareness of the potential vulnerabilities associated with SMS and voice codes has increased, some admins asked us for more control over the ability to use phone-based 2-Step Verification methods within organizations,” Google said in a blog today.
As it notes in a support document, using text messages to receive verification codes is “discouraged” because “they rely on external carrier networks and might be intercepted”.
One such attack is known as “SIM swapping”, where an attacker impersonates a carrier’s customer and convinces an employee to transfer the victim's number to the imposter.
Google last year reported that none of its 85,000 employees had been successfully phished since it mandated all employees use physical security keys.
Admins can ban the use of SMS and voice codes by changing the Setting in the Admin console to allow any 2-step verification methods except verification codes via text or phone call. Admins can also set the console to only allow security keys.
From then on users under the policy won’t be able to add SMS or voice based codes as an option, including when enrolling in Google’s 2-Step Verification system or when accessing the user account.
Other methods of 2-step verification Google supports include security keys, Google prompt, Google Authenticator, and backup codes.
The company also warns small businesses that they’re increasingly in the line of fire and should enable 2-step verification.
“Cybercriminals are increasingly targeting small businesses. If a hacker gets into your administrator account, they can see your email, documents, spreadsheets, financial records, and more. A hacker might be able to steal or guess a password, but they can’t reproduce something only you have,” Google explains.
The new security lockdown feature will be rolling out over the next month, starting from today.