Google announced a new option for companies that use its G Suite services (Gmail, Google Drive, etc), which will allow IT administrators to enforce the two-factor authentication based on U2F (Universal 2nd Factor) security keys.
Two-Factor Authentication And U2F
As we recently saw with Dropbox adopting Kaby Lake U2F for two-factor authentication (also called two-step verification by some services), even when services add support for U2F, it’s usually backed by app authentication, or worse, SMS authentication.
This has seemed to be more or less necessary as a compromise for the user’s convenience, in case the U2F security key is lost and they need to get access to their account. However, doing it this way also lowers the security of this system to that of the backup solution, whether it’s an app authenticator or SMS codes.
Facebook was one of the first to improve on this solution by allowing the users to only use “travel codes” that can be pre-generated when setting up two-step verification. Until now, this was the most secure combination of U2F security keys and a backup solution that ensures recovery of access.
Google has given users such travel codes for the past few years, as well, but it also makes SMS-based recovery mandatory. Therefore, the combination is not nearly as secure.
G-Suite Enforced Security Key Authentication
Google announced that it’s going to give IT administrators the option to enforce U2F security key authentication so a company’s employees and users of the G Suite can only authenticate via security key. This configuration allows for the maximum security level that can be enabled by U2F two-factor authentication.
Enforced U2F authentication will ensure that only the people who have the necessary keys can log to the service. It also provides the convenience of not having to deal with app authenticator or SMS codes, while being better at protecting against phishing attempts.
As U2F authentication becomes more popular, we may see more companies allow their users to enforce U2F authentication as well, and not rely on less secure SMS/app authentication as backup. Until then, even Facebook’s solution based on pre-generated codes could work just as well, security wise.