Last night, a member of reddit posted a new setting that he saw within his Google account settings, asking him if he would like to sign-in with his phone. It seems that Google is testing a feature that would allow for easily two-factor authentication for compatible phones. Security!
Redditor rp1226 agreed to Google’s test and added his email under the account that was linked with his Nexus 6P. Then, when signing in to his Google account on a desktop or laptop, his phone would light up and ask to be unlocked. The same would be said on the screen, and once unlocked through PIN, password, pattern, or fingerprint, all he had to do was tap and agree that it was indeed him trying to log-in to his account.
It seems that Google has built-in a few failsafes into this system, like if the phone is out of battery or out of data coverage. Users can just opt to log-in with their password instead. Google mandates that this feature will only be functional with a screen lock so people cannot steal your Google account if you lose your phone.
Are you saving a lot of time this way? Probably not. Is it the most secure form of two-factor authentication? Nope. But, this could be an easy way to encourage people to password protect their phones, as well as giving them a bit of that behind-the-scenes Google magic. No clue when or if we will see this roll out to more smartphones, but we will be keeping our eyes open if it opens widely to the public.
Microsoft has this already, using the Microsoft app. It’s actually pretty neat, especially when you have Pushbullet.
Just adopt SQRL and be done.
The online security community has basically said that SQRL is FAIL.
Exactly what I was going to say. I never, EVER want a single device to be the master key for all my accounts.
It doesn’t have to be. This is the reason why I mad the comment above. Most folks don’t understand it, aren’t willing to read the documents to understand and then just make assumptions. Welcome to the internet. Be informed, not just parroting the same tired argument.
Who exactly is the “online security community”? A lot of people hate a lot of things for reasons such as they don’t understand it or they have a product competing against it. A bunch of neckbeards claiming to be security experts tend to say a lot of things.
It’s apparently not you, and YOUR point is exactly why I’ll never use it. Do you need to do a full disclosure? Need an extra roll of TP with that?
They already do SMS 2-factor, and Google Authenticator. Both of which I use for various things/sites, including my google accounts. I like Google, but man, they are SQRLy as $hit. Their cycle seems to be create, push, adopt, forget-about, move on to the next thing.
So how does this differ from Authenticate? Did I miss something in the story?
Authenticator requires you to have your phone and then type in a code. This is more along the lines of they send your phone a message and you accept (or don’t accept) from the phone. Basically the same concept, reversed and with less typing.
AHA! Gotcha. Man alive I couldn’t figure out the difference. Thanks!
Also note it encourages people to use more complex passwords that generators can create! Now you don’t have to remember that complex password.
Nice! made it here too!
lol
You’re famous! Just beware the paparazzi.
https://media2.giphy.com/media/kO1WB0LVoH8By/giphy.gif
OW!!! Turn your damn flash off!!! It’s dark in here!!! lol