Google is changing the way that users of its Gmail and other apps use its two-step verification process, making it easier for users to approve or deny new logins.
Currently, users who have two-step verification enabled have to enter a shortcode from an app or use a hardware token in order to log in to their accounts on new devices. This extra step is designed to make it more difficult for an attacker to take over a victim’s account with just a username and password. Without the 2SV code or the hardware token, an attacker could not access a user’s account.
Now, Google has added a new method for users to approve new logins, simply by tapping a button on their phones. Users of both iOS and Android devices now have the option to enable this verification method, but it requires iOS users to have the Google Search app installed and Android users to have the updated Google Play Services.
The new change is designed mainly to appeal to businesses that use managed Gmail and Google Apps.
“We know that security is one of your top concerns as a Google Apps admin and that many of you require your employees to turn on 2-Step Verification (2SV) to keep their accounts safe. There are multiple ways your end users can approve sign-in requests via 2SV—by tapping a Security Key, by entering a verification code sent to their phone or, starting today, by approving a prompt,” Google said in a post announcing the change.
Two-step verification is a close cousin of two-factor authentication, as it presents a second level of knowledge or access that an attacker must have in order to take over a victim’s account. While 2FA typically requires a user to employ a password and something like a hardware token or smart card, 2SV usually requires the user to enter a code that’s sent by SMS or sometimes email. Both methods have grown in popularity in recent years as account-takeover attacks have risen on services such as Twitter, Gmail, Facebook, and banks.