Two-factor authentication is an immensely more secure option for securing your accounts than just using a password. The process has typically been as simple as putting in a spontaneously generated code that is provided to you via an app or SMS, in addition to your password. The extra time that it takes to fetch and type in the generated codes ensures that your account stays secure even if your password is compromised, offering an extra layer of account security. The extra time is also why astoundingly few people take advantage of two-factor authentication.
Introducing Google Prompt
Google just released Google Prompt, a new two-factor authentication method that allows you to give two-factor authentication security to your Google account with a mere tap on your personal device. There is no more need to generate and enter extra numbers or letters. When logging into your Google account, simply enter your password as usual and then you will see a prompt on your personal device. Tap approve and you will be logged in. Simple and strong security for your account.
It is important to note that this solution requires that your device be connected to the internet. Other cloud-based identity providers, such as OKTA, also have similar solutions for enterprise customers with options such as “mobile push authentication”.
How to Enable Google Prompt
Before enabling Google Prompt, you will need to enable Two-factor authentication for your Google account. If you already have Two-factor authentication enabled for your account, you can skip to the next step.
Enable Two-factor Authentication:
- Go to the 2-Step Verification page. You might have to sign in to your Google Account.
- In the “2-Step Verification” box on the right, select Start setup and enter your password again.
- Now provide your phone number you want to use for authenticating, and choose either an SMS or phone call for verification, and click on ‘Try it.’
- Enter the 6-digit code from the SMS or phone call and select ‘Next.’
- For setting up two-step verification, click ‘Turn ON.’
Enable Google Prompt:
Google Prompt uses the Google Search app on iOS devices or the built-in Google Play app on Android devices. If you have an iOS device, start by downloading the Google Search app and sign into it with your Google account, if needed. If you have an Android device, you can simply update your Google Play app.
Once you have the latest Google Search app (for iOS) or Google Play app (for Android),
- On the 2-Step Verification page, select the option for ‘Google Prompt.’
- Select the device you’d like to enable
- Select ‘Try it.’ (Check out Google’s Help Center for more detailed information)
Google Prompt is now enabled, giving you simple to use and strong security for your account.
You may have heard all the buzz about Pokémon Go, Nintendo’s latest generation of games developed after the popular animated show from the 90’s, created as a mobile phone app. In people’s haste to download and install the latest and greatest, users are also falling victim to additional malicious apps disguised as tutorials or alternate versions of the game. As the app is only officially offered in the US, New Zealand, UK, and Australia, users in other countries are passing around Android Package Kit (APK) files in an attempt to play the game as well. However, users are required to “sideload” the app in order to download the APK which modifies their core Android security settings and allows their device to install applications from untrusted third-party sources.
Users have been cautioned against these illegal downloads as one of the popular APK files has been modified to install a backdoor known as DroidJack. DroidJack is a Remote Access Tool (RAT) that allows third parties to take remote control of a user’s device, record private conversations, read emails, browsing the history, and texts, and tracks the user’s physical location all without their knowledge. If a user has downloaded DroidJack on any device linked to their bank accounts, corporate/personal email, all that information is now available to untrusted third parties.
The threat of this malicious software is very real, as the security firm Proofpoint discovered the infected version of the app within 72 hours of the game’s launch in New Zealand and Australia on July 4th. To verify the version, malicious or not, of the app you have installed on your device, navigate to your Android device settings for Pokemon Go and scroll through the list of app permissions. If the version installed on your device has permission to directly call phone numbers, read/edit your SMS messages, record audio, read browser history, read/edit your contacts, read/edit call logs, and edit network connectivity, then you should wipe your device immediately. This is the only guaranteed method of removal from your device. Business leaders, especially those overseas, caution your employees about this application as the user base is not exclusive to any age group.
When working with CyberSheath, we will empower your organization against common threats such as these to effectively reduce risk through proper security and awareness training.