# Why is Google Enforcing Multi-factor Authentication?



## Lamia (Dec 18, 2021)

I was hired recently to roll-out 2FA for an entire university in the Southern Hemisphere. Several of the staff members kicked against it and so some students. But they saw it coming a year before. It has now being enforced University-wide. 

Some staff and students demanded new age phones for them to use it since they live with dummy phones. Infact,  more than one student don't have a mobile phone number; for one, his family go by daily needs - banking etc - with his wife's mobile. If only they can do without it. And for some staff members, do imagine the comments, objections and counteractions from them.

Why would Google enforce it on selected millions of her users to start with? You don't have to further educate us on 2FA benefits. Is there a small business with comparable free service to switch to? I'm aware of the privacy & encrypted email providers - protonmail, tutano, etc - yet some different Organisations would do. Must these FAANG keep deciding for us?


----------



## Switch2BSD (Dec 18, 2021)

2FA authentication via mobile takes null valor in some countries where authorities would read SMS messages, then enabling 2FA gets risk of leaks.


----------



## VladiBG (Dec 18, 2021)

Because it's hard to remember long password and the password can be brute forced. The login process is changing to certificates on the TPM. The next step is those certificates to be moved from SHA to post-quantum crypto.


----------



## jbo (Dec 18, 2021)

I think there is nothing wrong with enforcing 2FA in a lot of situations. However, if 2FA/MFA becomes synonymous with "must have a (smart)phone" then yeah... that's a no-go in my opinion.

There are plenty of other second-factor options to choose from.


----------



## mer (Dec 18, 2021)

I'm not against 2FA, but against the ways it often gets implemented.  
One thing that bothers me at the moment is a lot of 2FA are doing the "time based one time password compatible with Google Authenticator".  
It's the "compatible with..." that bothers me.  Most people just download Google Authenticator which gives yet another hook.


----------



## Lamia (Dec 18, 2021)

mer said:


> I'm not against 2FA, but against the ways it often gets implemented.
> One thing that bothers me at the moment is a lot of 2FA are doing the "time based one time password compatible with Google Authenticator".
> It's the "compatible with..." that bothers me.  Most people just download Google Authenticator which gives yet another hook.


Correct. Most big guns have their MFA apps to use like Google. Xero/Xerox is one of such. We end up having several MFAs incompatible with one another.


----------



## Menelkir (Dec 18, 2021)

I have 2FA whenever is possible (i.e. FreeBSD forums) but I don't think is something that should be forced because people should be able to make their own decisions. If you're stupid and use really stupid passwords, feel free to go on social networks to say "amagad I've being hacked" . And actually, I've got really annoyed when some sites forces 2FA because usually the implementation is dreadful, like "you should use a password starting with a number" or "your password shouldn't have this or that" or "you should register a smartphone" while you can have 2FA without this kind of contraptions (security/keepassxc can do this for you without a smartphone, for instance).


----------



## eternal_noob (Dec 18, 2021)

2FA is nice to have but it shouldn't be mandatory. Maybe roll out your own instead of using Google.


----------



## shkhln (Dec 18, 2021)

I don't remember Google enforcing anything, however their primary auth method works via TOTP, not some lame SMS service. (You definitely don't want to give Google your phone number though, they'll enable account restore through SMS, which is obviously a huge risk.)


----------



## drhowarddrfine (Dec 18, 2021)

Remember that 2FA is not necessarily by phone but can be done via email, too. 2FA means "two factor authorization" and not "phone".


----------



## SirDice (Dec 18, 2021)

drhowarddrfine said:


> Remember that 2FA is not necessarily by phone but can be done via email, too. 2FA means "two factor authorization" and not "phone".


Or through hardware or software tokens.

Two factor authentication is something you have (a token, email, phone, etc) and something you know (password, pin, etc.).


----------



## obsigna (Dec 18, 2021)

shkhln said:


> I don't remember Google enforcing anything, however their primary auth method works via TOTP, not some lame SMS service. (You definitely don't want to give Google your phone number though, they'll enable account restore through SMS, which is obviously a huge risk.)











						Making sign-in safer and more convenient
					

For most of us, passwords are the first line of defense for our digital lives. However, managing a set of strong passwords isn’t always convenient, which leads many people to look for shortcuts (i.e. dog’s name + birthday) or to neglect password best practices altogether, which opens them up to...



					blog.google
				




Basically they’re going to change the policy from opt-in to 2FA to opt-out from 2FA. In case Google would opt-out from letting their users opting-out, then I will opt-out from Google.


----------



## shkhln (Dec 18, 2021)

I'm honestly unable to understand that blog post. I recognize some English words, but there is just too much PR-speak. What are they rolling out? Some ssh key auth equivalent?


----------



## obsigna (Dec 18, 2021)

shkhln said:


> I'm honestly unable to understand that blog post. I recognize some English words, but there is just too much PR-speak. What are they rolling out? Some ssh key auth equivalent?


Let me read it for you:


> ... which requires a simple tap on your mobile device to prove it’s really you trying to sign in. And because we know the best way to keep our users safe is to turn on our security protections by default, we have started to automatically configure our users’ accounts into a more secure state. By the end of 2021, we plan to auto-enroll an additional 150 million Google users in 2SV and require 2 million YouTube creators to turn it on. ...



2SV = Two-Step Verification is just another name for 2FA. Android users are identified by their phone numbers and those are already fucked by Google anyway. iOS users are asked to use Chrome and the Google Password Manager. It does not need much to imagine that these are working with some kind of crypto tokens. Equivalent to ssh key authentication? I guess no, because this would be 1SV only. Google requires you to have a password.


----------



## shkhln (Dec 18, 2021)

That tells me nothing whether those phone keys (for the lack of better term) replace other auth factors or how I can backup/regenerate them. You know, actually important things. As for the automatic enroll, you give Google your phone number — you get what you deserve. (Yes, it's very difficult to avoid, but that's another issue.)


----------



## LordInateur (Dec 18, 2021)

Friendly reminder that MFA isn't just for people who lose their passwords often. Databases get broken into all the time, even the likes of Google, Facebook et. al have been known to fail to secure their logs or apply encryption / salts to passwords from time to time. Services like HaveIBeenPwned are only helpful when a credential database has been leaked, and so without MFA there's nothing in the security stack that can differentiate between "correct" login attempts and "incorrect but still authenticated". A lot of places are adding on to the traditional "what you have / what you know / who you are" setups by also including "what you do" and "where you are" factors, i.e. the latter (did this person log in from France when they are normally in California?) has been helpful for some of the institutions that I work with. Counterintuitively, even NIST now recommends a shorter password that is easier to remember and not changed often (as long as it's paired with MFA) to solutions that require often-rotated long passwords with minimum character/symbol counts.

Now, more specifically: I do recommend avoiding SMS-based MFA. Hardware-based tokens, TOTP-based tokens, or push notifications tend to be more secure. So, the Big Tech moves toward mandatory MFA are important, and probably good for the security culture in general.


----------



## Scribner (Dec 18, 2021)

shkhln said:


> (You definitely don't want to give Google your phone number though, they'll enable account restore through SMS, which is obviously a huge risk.)


I've actually been thinking about this a lot lately. I use 2FA on Google with my phone and phone number, but I'm worried I could (theoretically) lose access to my phone number. I would prefer account restore through my secondary email address only. Is this what you were talking about, and, if so, could you comment more on it?


----------



## shkhln (Dec 18, 2021)

shkhln said:


> That tells me nothing whether those phone keys (for the lack of better term) replace other auth factors


I suspect it's some kind of enhancement for "remember this computer" feature, but the blog post (and some people there as well) keeps treating me like a dummy.


----------



## shkhln (Dec 18, 2021)

Scribner said:


> I've actually been thinking about this a lot lately. I use 2FA on Google with my phone and phone number, but I'm worried I could (theoretically) lose access to my phone number. I would prefer account restore through my secondary email address only. Is this what you were talking about, and, if so, could you comment more on it?


There isn't any kind of safe restore strategy at all (secondary email sounds incredibly risky). Google allows you to generate and print unlocking codes on paper, if you lose those you are completely screwed.


----------



## mer (Dec 18, 2021)

Google hasn't been "mandating" it, but they certainly have been popping up a lot of reminders.  They also have a selection of methods, at one point in time I think SMS was their primary, but they've obviously changed it.

Email is a good alternative but "I'm trying to log into my email that you want me to 2FA with and you just sent the 2FA to the email I'm trying to log into".    Almost mandates you having 2 email accounts on separate providers.

Hardware things like yubikeys are nice, but even then recommendations seem to be "have more than one yubikey".  Kind of related, does a yubikey work on a FreeBSD system?  If it's been discussed somewhere, a link is fine.

Google and Facebook also say "we'll ask for 2FA if the login is from a computer we don't recognize" so it's not asked for every time.
Banking stuff a lot seem to say "remember this computer" which seems to defeat the purpose of 2FA.  Amazon also has the "remember me".

There are some apps that are compatible with Google Authenticator (I think one our corp sec guy recommended was called something like andOTP) that you can push stuff to the cloud so if you lost your phone, you can simply get a new one and "resync" the data.

I've seen a couple of you tube things discussing the algorithms behind TOTP relatively simple algorithm, kind of elegant in the engineering sense, but repeatability depends on Time being in Sync.  Anyone that's dealt with similar immediately goes "ooh, what if I'm a second fast or slow"  (I know I did).

I think the real answer is that all the people that want to steal the data should really just get a stern talking to and they will understand the error of their ways and they will stop.  Then they will convince others to stop stealing.  

( the last paragraph was sarcasm just in case it wasn't obvious )


----------



## kpedersen (Dec 18, 2021)

Perhaps one day Google will modernize and allow us to use asymmetric private/public keys? Maybe even one day it will be the default.


----------



## ct85711 (Dec 18, 2021)

I wouldn't mind 2FA, if more sites actually would support a key-based authentication like a yubikey.  Sadly, few sites even support using like the yubikey outside of github, gmail, and maybe ebay (There is a much larger list), but the main spots you'd want to protect isn't there.  The key spots that should support it like banking and online shopping still isn't there.

SMS was a good idea when it was first implemented, the problem is that it never was designed to be secure (this was way before 2FA was a big thing).  Even now days, SMS doesn't protect you when some other country can easily access the SMS network and read anything from it.


----------



## ralphbsz (Dec 18, 2021)

Lamia said:


> Why would Google enforce it on selected millions of her users to start with?


For the same reason that the government has decided that using a seat belt is mandatory, that houses need smoke detectors and fire sprinklers, that motorcyclists need to wear a helmet, that some of our taxes have to be used for fire fighters, that cars need to follow certain safety standards, and public drinking water needs to be germ free.

Except that the Internet doesn't have government regulation, as governments have in general been about 30 years behind the technological developments. That's why the big providers are leading the charge to make the world safer.


----------



## LordInateur (Dec 18, 2021)

ralphbsz said:


> For the same reason that the government has decided that using a seat belt is mandatory, that houses need smoke detectors and fire sprinklers, that motorcyclists need to wear a helmet, that some of our taxes have to be used for fire fighters, that cars need to follow certain safety standards, and public drinking water needs to be germ free.
> 
> Except that the Internet doesn't have government regulation, as governments have in general been about 30 years behind the technological developments. That's why the big providers are leading the charge to make the world safer.



Maybe not, but they do have cybersecurity insurance that mandates these sorts of things.


----------



## Phishfry (Dec 18, 2021)

I hate that users have this extra burden.
With appropriate controls like limited login attempts the burden is in the providers court.
Passwords work fine. Not random or ever changing.
Software password guessing tools will only make this worse unless providers tighten up.
Heuristics tests too with IP's..





__





						NY Man Pleads Guilty in $20 Million SIM Swap Theft – Krebs on Security
					





					krebsonsecurity.com


----------



## LordInateur (Dec 18, 2021)

Phishfry said:


> With appropriate controls like limited login attempts the burden is in the providers court.



I've never cared for this particular control-- some view "maximum attempts" to be a good security measure, but I view it as an easy way to target a DoS attack (violation of "availability" in the Security Triad). (Edit: in conjunction w/ IP heuristics, maybe not so much... but then again, it's easy to change an IP.)


----------

