in

Phishing: Google just made it easier to use 2FA to secure your accounts

Google has rolled out an update for its two-factor physical security keys for protecting Google Accounts that makes it easier to enroll the keys on Android and macOS devices. 

Google users can register the security keys on Android devices running Android 7.0 “N” and newer using Chrome version 70 and up. The keys can also be registered on macOS devices using Safari version 13.0.4 and newer. 

The move knocks down more barriers to users adopting two-factor authentication (2FA) to protect Google Accounts from phishing attacks – in particular customized phishing attempts by state-sponsored attackers. It’s a solid obstacle to phishing because login requires physical access to the security key, which can be both a smartphone or a USB security key like Google’s Titan Keys or hardware security keys from Yubico. 

A Google engineer in 2018 revealed that less than 10% of Gmail accounts use 2FA because of usability issues. Even amongst developer populations, which should be more clued up on security and using tools like 2FA, adoption is equally low. 

SEE: 10 tips for new cybersecurity pros (free PDF)

Google doesn’t want to force general users to adopt 2FA because it fears it would drive them away. As of January, Firefox-maker Mozilla however has required all Firefox browser extension developers to enable 2FA to reduce the risk of extensions becoming hijacked after attacks on developer accounts.     

Google’s recent efforts to boost adoption and reduce friction include allowing iPhone owners to use the device as a security key for Google accounts. 

The Chrome-Android and Safari-macOS update for security keys for Google Accounts also applies to Google’s Advanced Protection Program aimed at high-risk users such as execs, politicians and journalists. 

“By making it easier to register security keys, we hope more users will be able to take advantage of the protection they offer,” Google explains in the latest update. 


Source: Information Technologies - zdnet.com

NordVPN HTTP POST bug exposed customer information, no authentication required

Oh, you won an award? Don't click that vanity scam spam link