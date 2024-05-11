



Like most observers, I noticed Google's recent announcement on April 9th ​​(https://workspaceupdates.googleblog.com/2024/04/multi-party-approvals-for-sensitive-admin-actions.html) celebrated. Some common actions that Google Workspace super admins perform.

This means that when certain high-risk actions are taken (such as account recovery), an admin can request approval of the action from another super admin before it is performed. Multiple party approval is enabled by default for domains with two or more super administrators. Currently, Google defines the following high-risk activities: [with my additional explanations]:

2 step verification [i.e., enabling or disabling two-step verification for a user]

Account recovery [i.e., allowing users to self-recover or not]

advanced protection [i.e., enabling or disabling Advanced Protection for a user]

Google session control [i.e., limiting a user session before they have to re-authenticate]

Issues when logging in [i.e., enable or disable user login challenges]

no password [i.e., enabling or disabling FIDO passkeys]

Many of the targeted actions are increasingly being exploited by threat actors, including ransomware gangs, which I believe is why this feature was implemented and rolled out.

I think this is a great idea! I'm not criticizing it or how Google implemented it. It's well-built and fairly automated, with a nice administrative user interface experience and solid default settings. I wish Google would include and implement more potential actions in more places. We are confident that this will encourage other vendors and competitors to do the same. It is true that approval by multiple parties makes some malicious acts more difficult for hackers.

There are two points, one small and one important.

First, multiparty approval is actually just an implementation of what is known as an automated workflow. Many commercial and custom products have included automated workflows for decades. For example, many help desk products include workflow automation to approve certain requests that involve high-risk administrator actions. Good help desk software allows you to apply automated workflows to every action that often require multiple approvers. Hundreds of thousands of companies have long operated customized, automated workflows within their companies.

When I worked at Microsoft (over 6 years ago), we had a lot of automated workflows within the company. For example, resetting an employee's password required not only help desk approval and identity verification, but also approval from the employee's manager. The employee's manager receives an email from the help desk stating that the employee has requested a password reset and asks the manager to confirm that the employee is indeed the one who needs to reset the password. .All your boss needs to do is email[はい]Just click. Until the password reset request is completed. Everything was automated.

Leaders will also receive semi-annual email notifications about folders and files that employees have access to and must continue to allow access (at least until the next access control validation email is sent). You need to make sure that. If the leader did not respond to the request, the employee was cut off from accessing the protected resource. Some types of confidential digital certificates (such as code signing certificates) have had a multi-party approval process. It has been part of the Microsoft Active Directory Certificate Services product for over 20 years.

The difference here is that Google has brought this to their cloud platform and enabled it by default (for many customers), including many common high-risk scenarios. I don't know if Google's competitors will also do something like multi-party approvals, but to my knowledge this is the first time it's been done within a major cloud vendor's customer management console. So kudos to Google for doing that. I hope success breeds more of that.

But one important thing to remember is that although the approval of multiple political parties makes it harder for hackers to succeed, they still succeed. We're not in a situation where multi-party authorization is introduced and all the social engineering hackers close up their doors and go home, like when multi-factor authentication (MFA) started being pushed in a big way by major vendors.

If you can get one admin to do something with a good social engineering scam, you can almost easily get two admins to do the same thing. If the CEO gets furious over the phone that she's making a big deal and he needs to recover her account because MFA isn't working, that stress is equally felt by her two managers. It will work. So, like the MFA, multiparty endorsement is good, but it's not a perfect defense. Hackers will get around it. Social engineers update scams to avoid this.

We know this because hackers (at least so far) always adapt and overcome. These days, MFA is touted as a way to thwart hackers. Remember the utter nonsense of experts claiming MFA stopped his 99% of attacks (https://www.linkedin.com/pulse/stop-insanity-mfa-does-99-attachs -roger-grimes/). It was later discovered that 90% of MFAs are susceptible to man-in-the-middle attacks (https://blog.knowbe4.com/do-not-use-easily-phishable-mfa), and now millions of MFA exists. Hacked MFA user.

Initially, attackers had to manually bypass MFA. But now, almost all password-stealing malware and automated hostile man-in-the-middle attacks have been updated to bypass MFA, the most common form most people use. He no longer needs an uber hacker to bypass MFA. It is enough for a person to spend $ 50 to buy a fishing kit. Once weaknesses in defenses are found, hackers find ways to exploit them, and eventually attacks become automated. The same thing is likely to happen with multiparty endorsements. they are amazing. Use them if possible. However, recognition by multiple political parties is not impossible.

Anything that makes a hacker's life difficult is a good thing and welcomed. Consider that you can wait and see if you don't implement it and forget about security basics. We must continue to be wary of hackers and social engineers. You must hover your mouse over the link to see its content before clicking it. They need to make sure it is the CEO who is requesting account recovery and not just his AI-generated deepfake.

Sources 1/ https://Google.com/ 2/ https://www.linkedin.com/pulse/googles-multi-party-approval-process-great-roger-grimes-mnxae

