Google yesterday released a third option for its two-step verification, complementing the Google Authenticator phone app and FIDO U2F Security Keys. This release supports moving from two-factor to a true multi-factor authentication offering
Google Prompt is a push app for mobile authentication, similar to two-factor push solutions offered by others like Duo Security. There is no authentication solution that fits everyone’s needs, and Prompt has both advantages and challenges.
Google Prompt Advantages
- Free software to download/update on a smartphone, no additional device needed
- Allows moving from two-factor to a true multi-factor authentication offering
- Much easier than typing a code or PIN from Google Authenticator
Google Prompt Challenges
- Requires a data connection
- Does not protect against phishing and man-in-the-middle attacks
- Does not work with non-Google services
- Some organizations do not allow users to bring their phone to work
- Support and backup issues when the user’s phone (a single, expensive authenticator) is lost, broken, or has a dead battery
Currently, users can’t have Security Keys and Google Prompt enabled at the same time. We expect this will change soon, as Prompt is a better phone-based complement to the Security Key than Google Authenticator.
Google has spent the past five years building its strong authentication strategy with Prompt the latest piece of that plan, which also includes multiple protocols, cross-platform support and administrative tools. Prompt is an attempt to match capabilities already available in the identity and access management market such as Okta Verify, Centrify Push, and PingID Swipe.
Google’s ultimate goal is to build an identity-as-a-service (IDaaS) for enterprises, including a host of federation options (SAML, OIDC), and management tools such as mobile device management and provisioning, which is currently being tested by Salesforce, Slack, and Facebook at Work. Google discussed this IDaaS plan in early June 2016 at the Cloud Identity Summit with focus on Google IDP, Firebase Auth, and customer facing login.
Management of the identity and authentication ecosystem is an absolute requirement for the enterprise and we applaud Google’s efforts here. Strong authentication isn’t one method used everywhere — it’s a combination of options matched to use cases. Currently, FIDO U2F Security Keys, including YubiKeys, are proven to offer higher security, a faster login experience, and fewer support calls than any other authentication technology on the market.
YubiKey users can have one single and simple key to access a wide range of IT applications, including computers, servers, networks, leading online services and IAM platforms, as well as to sign and encrypt data.
Updated July 24, 2016 to clarify phishing, man-in-the-middle challenge
