May 07, 2024Ravie LakshmananOnline Security / Data Breach
Google on Monday announced that it's simplifying the process of enabling two-factor authentication (2FA) for users with personal and Workspace accounts.
Also called 2-Step Verification (2SV), it aims to add an extra layer of security to users' accounts to prevent takeover attacks in case the passwords are stolen.
The new change entails adding a second step method, such as an authenticator app or a hardware security key, before turning on 2FA, thus eliminating the need for using the less secure SMS-based authentication.
"This is particularly helpful for organizations using Google Authenticator (or other equivalent time-based one-time password (TOTP) apps)," the company said. "Previously, users had to enable 2SV with a phone number before being able to add Authenticator."
Users with hardware security keys have two options to add them to their accounts, including by registering a FIDO1 credential on the hardware key or by assigning a passkey (i.e., a FIDO2 credential) to one.
Google notes that Workspace accounts may still be required to enter their passwords alongside their passkey if the admin policy for "Allow users to skip passwords at sign-in by using passkeys" is turned off.
In another noteworthy update, users who opt to turn off 2FA from their account settings will now no longer have their enrolled second steps automatically removed.
"When an administrator turns off 2SV for a user from the Admin console or via the Admin SDK, the second factors will be removed as before, to ensure user off-boarding workflows remain unaffected," Google said.
The development comes as the search giant said over 400 million Google accounts have started using passkeys over the past year for passwordless authentication.
Modern authentication methods and standards like FIDO2 are designed to resist phishing and session hijacking attacks by leveraging cryptographic keys generated by and linked to smartphones and computers in order to verify users as opposed to a password that can be easily stolen via credential harvesting or stealer malware.
However, new research from Silverfort has found that a threat actor could get around FIDO2 by staging an adversary-in-the-middle (AitM) attack that can hijack user sessions in applications that use single sign-on (SSO) solutions like Microsoft Entra ID, PingFederate, and Yubico.
"A successful MitM attack exposes the entire request and response content of the authentication process," security researcher Dor Segal said.
"When it ends, the adversary can acquire the generated state cookie and hijack the session from the victim. Put simply, there is no validation by the application after the authentication ends."
The attack is made possible owing to the fact that most applications do not protect the session tokens created after authentication is successful, thus permitting a bad actor to gain unauthorized access.
What's more, there is no validation carried out on the device that requested the session, meaning any device can use the cookie until it expires. This makes it possible to bypass the authentication step by acquiring the cookie by means of an AitM attack.
To ensure that the authenticated session is used solely by the client, it's advised to adopt a technique known as token binding, which allows applications and services to cryptographically bind their security tokens to the Transport Layer Security (TLS) protocol layer.
While token binding is currently limited to Microsoft Edge, Google last month announced a new feature in Chrome called Device Bound Session Credentials (DBSC) to help protect users against session cookie theft and hijacking attacks.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
