In a wonderful cybersecurity move that should be replicated by all vendors, Google is slowly moving to make multi-factor authentication (MFA) default. To confuse matters, Google isn’t calling MFA “MFA;’ instead it calls it “two-step verification (2SV).”
The more interesting part is that Google is also pushing the use of FIDO-compliant software that is embedded within the phone. It even has an iOS version, so it can be in all Android as well as Apple phones.
To be clear, this internal key is not designed to authenticate the user, according to Jonathan Skelker, product manager with Google Account Security. Android and iOS phones are using biometrics for that (mostly facial recognition with a few fingerprint authentications) — and biometrics, in theory, provides sufficient authentication. The FIDO-compliant software is designed to authenticate the device for non-phone access, such as for Gmail or Google Drive.
In short, biometrics authenticates the user and then the internal key authenticates the phone.
The next question that arises is whether other companies beyond Google will be able to leverage this app. I’m guessing that, given Google went out of its way to include arch-rival Apple, the answer is likely yes.
This all started May 6, when Google announced the default change in a blog post, heralding this as a key step in killing the ineffective password. Note: why Google didn’t calendar date the blog is a mystery.
Copyright © 2021 IDG Communications, Inc.
