Published on May 9th, 2024
Google has recently announced a significant enhancement aimed at simplifying the activation of two-factor authentication (2FA) for both personal and Workspace accounts.
Formerly known as 2-Step Verification (2SV), this additional security layer seeks to fortify users’ accounts against takeover attempts, especially in scenarios where passwords are compromised.
The alteration involves integrating a second-step method, such as an authenticator app or a hardware security key, before enabling 2FA, thereby eliminating the necessity of relying on less secure SMS-based authentication methods.
“This update proves particularly beneficial for organizations leveraging Google Authenticator or similar time-based one-time password (TOTP) applications,” stated the company. “Previously, users were obligated to activate 2SV with a phone number before being able to integrate Authenticator.”
For users utilizing hardware security keys, two distinct options for their incorporation into accounts are now available: either by registering a FIDO1 credential on the hardware key or by assigning a passkey (a FIDO2 credential) to one.
However, Google underscores that Workspace accounts might still need to input their passwords alongside their passkeys if the administrative policy for “Allow users to skip passwords at sign-in by using passkeys” remains disabled.
In a notable update, users opting to deactivate 2FA from their account settings will no longer find their enrolled second steps automatically eradicated.
“When an administrator deactivates 2SV for a user via the Admin console or Admin SDK, the second factors will be removed as previously done, ensuring that user off-boarding workflows remain uninterrupted,” affirmed Google.
This announcement coincides with Google’s disclosure that over 400 million Google accounts have embraced passkeys over the past year for passwordless authentication.
Modern authentication methodologies and standards, such as FIDO2, are engineered to thwart phishing and session hijacking assaults by utilizing cryptographic keys generated by and linked to smartphones and computers to authenticate users, rather than relying on easily compromised passwords susceptible to credential harvesting or stealer malware.
Nonetheless, new research from Silverfort has identified a vulnerability potentially circumventing FIDO2 through an adversary-in-the-middle (AitM) attack capable of seizing user sessions in applications employing single sign-on (SSO) solutions like Microsoft Entra ID, PingFederate, and Yubico.
“A successful MitM attack exposes the entire request and response content of the authentication process,” elucidated security researcher Dor Segal. “Once concluded, the adversary can obtain the generated state cookie and hijack the session from the victim. Essentially, there is no validation by the application post-authentication.”
This exploit is facilitated by the absence of protective measures on session tokens generated post-authentication, enabling malicious actors to gain unauthorized entry.
Furthermore, there’s no validation performed on the requesting device, enabling any device to utilize the cookie until its expiration, thereby circumventing authentication through cookie acquisition via an AitM attack.
To ensure exclusive usage of the authenticated session by the client, experts advocate for the adoption of token binding, a technique allowing applications and services to cryptographically bind their security tokens to the Transport Layer Security (TLS) protocol layer.
While token binding presently remains confined to Microsoft Edge, Google recently introduced a new Chrome feature dubbed Device Bound Session Credentials (DBSC) to safeguard users against session cookie theft and hijacking attacks.