Computer

Google no longer requires phone number for two-step verification

Google no longer requires phone number for two-step verification

The two-step verification by Google is an additional security option designed to protect each user’s account from unauthorized access. It works by adding a second level of verification, which goes hand in hand with entering the correct password when logging in. The news is that from now on, as announced by the Mountain View company, a telephone numbertypically a mobile user, to enable two-step verification.

What does it mean that Google no longer requires your phone number for two-step verification

In another article we saw what two-step verification is and how it works. In a note that recently appeared online, Google explains that in order to simplify things, from now on it will be possible to activate two-step verification (2SV, Two-Step Verification) without specifying any personal telephone number.

Until today, in fact, the company founded by Larry Page and Sergey Brin asked users to provide a reference user anyway. Now, taking ourselves into the account settingsby clicking on Safety and finally up Two-step verificationit’s possible skip the step linked to the insertion of a telephone number.

Although the article published by Google highlights the fact that this change will help administrators enforce the policy 2SV in their organizations (think of all the organizations that use the platform Google Workspace), the decision will certainly be appreciated by all users.

We’ve said it in every way: using SMS as a second factor is a reckless practice. THE confirmation codes sent via SMS, they can in fact easily be the subject of theft. This is why it is important to rely on other, much safer methodologies.

What authentication mechanisms can be used on Google

Putting aside the insertion of the phone number, Google now allows you to enable two-step verification using three different tools:

  • OTP codes generated on a dedicated app. After logging in with the correct username and password, you can use an authentication app such as Google Authenticator or Microsoft Authenticator to generate OTP codes. However, there are many alternative open source applications for authentication: among these there are, for example, Aegis per Android, 2FAS per Android/iOS o Ente Auth (Android/iOS).
  • Hardware security token. Instead of the phone number and therefore the sending of SMS, Google allows you to use hardware security keys such as YubiKey. These also allow you to effectively protect your user account. Google says the tokens will be registered as FIDO1, even if the key supports FIDO2.
  • Passkey. As a further alternative, it is possible to create a passkey associated with the Google account: the system will manage it as a FIDO2 credential. In another article we tried to highlight the advantages and disadvantages of passkeys, an authentication and authorization tool that also aims to be an alternative to passwords and in which Google, as well as many other companies, are investing heavily.

Additional safeguards for users who disable two-step verification

In their brief speech, Google spokespersons add that when a user who had enabled two-step verification for their account disables the setting, the other second factors will no longer be automatically removed. Think about backup codes, connected applications that generate OTP codes, the smartphone used as a second factor.

The measure appears to be aimed at providing additional safeguards for users. In some circumstances, in fact, the disabling two-step verification it could put users in the position of no longer being able to access their accounts. With the changes just applied, you will no longer run this risk.

Furthermore, as noted above, the changes applied to the two-step verification process are not exclusive to Google Workspace users but are extended to everyone, including those who use personal accounts.

Google is keen to point out that the changes applied to the two-step verification system are currently being rolled out and that it may be some time before they are available to the entire user base.

Leave a Reply

Your email address will not be published. Required fields are marked *