Google Blazes New Trails in Authentication

Two-factor and multi-factor authentication historically have been based on using two or more of three criteria:  something you know (passwords), something you have (security token) or something you are (biometrics such as fingerprints).  There have been two new additions to MFA criteria: something you do (keyboard cadence or mouse movement), and somewhere you are (geo-location through GPS or public IP address).

Google has been busy heightening the security for it’s account holders and has several new security offerings that are using the new categories.

Google Titan – We have already published an article about Google Titan, their new FIDO compliant U2F security key.  Although I have relied on LastPass for two-factor authentication, I have decided to add  a U2F key to the mix for redundancy.  This way if I lose access to LastPass for some reason, I have another method to unlock my accounts.

reCAPTCHA v.3 – Google has also updated their reCAPTCHA to version 3, which is based on modeling the way that users interact with a site, including things such as keyboard cadence, mouse patterns, and geo-location information.  This will mean no more solving “I am not a robot” puzzles on website where this feature is deployed.  If you are a web developer or site operator who is interested in this feature, Google has information for you on their website.

Account sign-in enhancements – This new feature will use location and behavior information to detect and prevent fraudulent log-in attempts by people who are not you.  Sign-in activity is analyzed and access is granted only when Google decides the log-in is really from you.  This new feature will rely on JavaScript to work, so if you are one of the people who has disabled JavaScript in your web browser, you will need to enable it for Google,  Without JavaScript, Google will be unable to determine if it is really you , and will deny access.

If google determines that your account was fraudulently accessed, you will need to confirm recovery information such as phone numbers, email addresses, or knowledge based questions and answers for unauthorized changes.  You will also be asked to look for unauthorized financial activity on your account, or unauthorized access  to Google Drive or third party sites where you use Google to log in.  You can see what options are available for you on Google’s “Secure a hacked or compromised account” page.

I know we just took Google to task for its Big Brother-like omnivorous surveillance and data collection practices. Google is also a bit like a nicer, gentler, lower-case big brother who looks out for you and protects you from danger.  A little bit of Jekyll, a little bit of Hyde, and pretty much unavoidable if you own an Android phone or use the Internet.  But these features are good news for those of us with Google accounts.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.