



With a great cybersecurity move that every vendor needs to replicate, Google is slowly starting to make multi-factor authentication (MFA) the default. To confuse the issue, Google doesn’t call MFA “MFA”. Instead, we call it “two-step verification (2SV)”.

Even more interesting is that Google is also promoting the use of FIDO-compliant software built into phones. An iOS version is also available, so it can be installed on all Android and Apple phones.

For the sake of clarity, this internal key is not designed to authenticate users, according to Jonathan Skelker, Product Manager for Google Account Security. Android and iOS phones use biometrics for that (mostly face recognition with some fingerprint recognition), and in theory, biometrics provide sufficient authentication. FIDO-compliant software is designed to authenticate your device to non-phone access such as Gmail and Google Drive.

That is, biometrics authenticate the user, then the internal key authenticates the phone.

The next question that arises is whether other companies besides Google can take advantage of this app. Given that Google has stopped including rival Apple, I’m guessing the answer is probably yes.

This all started on May 6th when Google announced a change to the defaults in a blog post, foretelling this as an important step in removing invalid passwords. Note: It’s a mystery why Google didn’t put the blog date on the calendar.

On the one hand, having a nearby phone almost always act as a hardware key exchange is smart security. This adds a bit of convenience to the process and requires users to appreciate it. It is also wise to use the default settings, as user laziness is well known.

Instead of delving into the settings for the user and activating Google’s MFA flavor, it’s there by default. To the few people who hate it for security, pricing, and convenience, they don’t often hate spending time pouring their settings.

But in an enterprise environment, there are still big reasons to stick to foreign keys. It’s consistency. First of all, these foreign keys have already been purchased in large quantities, so why not use them? In addition, users use different types of phones, and standardization of employees and contractors simplifies foreign keys.

In an interview, Skelker said that Google’s internal keys have no security advantage when compared to foreign keys, given that both are FIDO compliant. Again, that’s as of today. It’s very likely that Google will significantly increase the security of its internal software keys within a few years. If that happens, the CIO / CISO decision will be very different.

Suddenly, I got a free key that was better than the existing hardware keys. And it will already be owned by almost every employee and contractor.

As much as I admire Google’s efforts to kill passwords, there are industry-wide issues across all disciplines. As long as the overwhelming majority of vendors and businesses require passwords, there are some places that aren’t very useful. In a perfect world, users deny access to environments that still require a password. Revenue has a way to get the attention of executives.

But sadly, most users don’t care enough to do that and don’t understand the security risks posed by passwords and PINs, especially when using them for themselves.

