New 'Google Prompt' Security Feature Allows Two-Step Verification With One Click

Google announced that it’s going to enable a new form of two-step verification called “Google Prompt” that will require only a single click for users to log in to their Google accounts.

Google is one of the first technology companies that has enabled two-step verification (also called two-step authentication). The company has also made the Google Authenticator app, which acts similarly to SMS two-step verification, but instead of getting a six digit code through SMS, you get it in an app.

SMS two-step verification has become increasingly less reliable, because hackers can take advantage of the trivially hackable Signaling System Seven (SS7) that’s used by carriers to exchange information to intercept any SMS message or call you may be getting. They can also use social engineering to transfer your number to their phones, with the same result.

Once they can intercept your SMS codes, then they can log into your accounts, given they know your passwords, as well. However, most people don’t use very strong passwords, and they tend to re-use them across websites. That means that if a data breach happens to one of the services they are using, the attackers can gain access to their accounts, because they can find out both their passwords and their second factor SMS codes.

Google seems to be trying to make two-step verification both easier to use and more secure, and allow people to sign-in with a single click with the new Google prompt option. First, you will have to enable it in your Google account’s two-step verification security settings. After that, it will be used by default once you try to log in to your Google accounts.

Google didn’t say how it works exactly, but it doesn’t seem to use the biometric behavior technology that’s planned for Project Abacus. Instead, Google seems to check that a certain phone is yours, and then it sends you a prompt through the Play Services framework, asking whether it’s you that’s trying to connect to a Google account (for which you have this authentication method set up).

Because you’ll have to be connected to a Google account/Play Services on your phone before using it, this feature seems better suited for PC authentication, and less for mobile two-step verification.

Currently, the method works in combination with Google Authenticator and SMS authentication, but it doesn’t currently work with a Security Key. Because the authentication happens through Google’s servers, you’ll need an internet connection to receive the prompt.

Android users need only the latest Play Services update, but iOS users will need to have the Google Search app installed. Some users may not be able to see the Google prompt option in their two-step verification settings because the feature is being rolled out over the next three days.

This method is unlikely to work with any other service besides Google’s own for the time being, although Google may eventually release an API that developers could use to enable this sort of two-step verification for their mobile apps or Chrome apps, as well. The feature is dependent on Google servers’ security, so if Google’s servers are hacked, then this authentication method could also be compromised.

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. 

Follow us on FacebookGoogle+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • JeremyH10
    I enabled it two days ago!
    Reply
  • TheDever
    Nice they caught up, MS had Ben doing this for years with android ware integration as well.
    Reply
  • ubercake
    Banks have finally implemented two-step verification though not one-click yet.

    My Blizzard account has always been more secure than my bank account.
    Reply
  • viciousteletuby28
    My Battle.net authenticator has already switched to one-click authentication, still waiting for the Google authenticator to catch up :-)
    Reply