Google is now replacing the standard SMS two-factor authentication method with phone verification prompts as the default security measure for account sign-ins. That means that users who had previously been receiving text messages with codes to sign in will no longer receive those. Instead, they’ll start receiving a prompt on their signed-in smartphone or, in some cases, their Chrome OS gadget.
More succinctly, those are the prompts that appear as part of two-factor verification, giving users extra security. The prompts ask users to click yes or no to verify that they’re trying to sign in. Or, in other cases, the prompt requests that they verify a number. That number is shown on the device they are trying to sign into and the entry takes place on their smartphone.
This replaces the system requiring users to receive a text and then entering the in-message code to verify their identity.
Why is phone verification prompts the better method?
The phone verification prompts method is being pushed out by Google chiefly as a way to ensure better security by default. The search giant notes that it’s just a better way to keep things safe. That’s because while it’s fairly easy to spoof a phone number and intercept a code via SMS, it isn’t so easy to intercept the prompts. The improvement comes down to the fact that another device needs to be signed in already. And an attacker would need physical access to that device.
Devices that are signed in can also be checked and removed with ease from a given smartphone or other devices in Google account management settings. A search for devices brings up the list. So users can check to ensure there aren’t any unknown or unwarranted devices logged in prior to using the tool. Or remove devices they no longer own.
Additionally, that safety stacks atop the fact that the prompt shows up on all devices all at once. So even if a user doesn’t happen to be near a device with an activated SIM card, such as if their SIM has been illegitimately switched, they’ll still see the prompt. Conversely, it’s also helpful because of that under any other circumstances where an illegitimate sign-in is being attempted.
Secondary to that is that phone prompt verifications are more convenient. No code entry is required. Users simply need to tap a yes or no button. Or to tap a number to verify they can see the device on which a sign-in is being attempted.
When is this arriving for end-users and is there any way around it?
Now, Google does indicate that the new phone verification prompts won’t necessarily be applied by default to every user. And they won’t need to remain in place for those who don’t want them, despite the above-mentioned benefits. To begin with, for those who already are using physical security keys, this method won’t replace those.
Security keys are more secure for a number of reasons, not least of all because they require physical access. That can be via a connected smartphone or a Google-built Titan security key.
For users who want to hold onto the somewhat less secure text codes and other methods, that’ll still be selectable too. Users will need to select “More ways to sign in” on the prompt to get that set back up.
Users that don’t have two-factor authentication set up won’t see any change. But for everybody else, this will be turned on by default. That applies to both personal account holders and G Suite customers and users.
The timeline for the rollout will be over a 15-day period starting on July 7.