G Suite admins can now ban staff from using insecure SMS for two-factor authentication

Credit: ID 118879841 © Ikonstudio | Dreamstime.com

Google is rolling out an update for its G Suite business products that lets admins disable the use of SMS and voice verifications codes for 2-factor authentication.  

Google for its part recommends organizations use hardware security keys such as its Titan keys or Yubico’s keys, however the company says it introduced the ability to block SMS verification due to demand from admins who are increasingly aware of the weaknesses in relying on SMS. 

“As awareness of the potential vulnerabilities associated with SMS and voice codes has increased, some admins asked us for more control over the ability to use phone-based 2-Step Verification methods within organizations,” Google said in a blog today

As it notes in a support document, using text messages to receive verification codes is “discouraged” because “they rely on external carrier networks and might be intercepted”. 

One such attack is known as “SIM swapping”, where an attacker impersonates a carrier’s customer and convinces an employee to transfer the victim's number to the imposter.   

Google last year reported that none of its 85,000 employees had been successfully phished since it mandated all employees use physical security keys. 

Admins can ban the use of SMS and voice codes by changing the Setting in the Admin console to allow any 2-step verification methods except verification codes via text or phone call. Admins can also set the console to only allow security keys. 

From then on users under the policy won’t be able to add SMS or voice based codes as an option, including when enrolling in Google’s 2-Step Verification system or when accessing the user account.  

Other methods of 2-step verification Google supports include security keys, Google prompt, Google Authenticator, and backup codes. 

The company also warns small businesses that they’re increasingly in the line of fire and should enable 2-step verification. 

“Cybercriminals are increasingly targeting small businesses. If a hacker gets into your administrator account, they can see your email, documents, spreadsheets, financial records, and more. A hacker might be able to steal or guess a password, but they can’t reproduce  something only you have,” Google explains. 

The new security lockdown feature will be rolling out over the next month, starting from today.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags Googlephishingtwo factor authenticationYubicoG Suitesecurity keys

More about GoogleYubico

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts