Google Blazes New Trails in Authentication

Two-factor and multi-factor authentication historically have been based on using two or more of three criteria:  something you know (passwords), something you have (security token) or something you are (biometrics such as fingerprints).  There have been two new additions to MFA criteria: something you do (keyboard cadence or mouse movement), and somewhere you are (geo-location through GPS or public IP address).

Google has been busy heightening the security for it’s account holders and has several new security offerings that are using the new categories.

Google Titan – We have already published an article about Google Titan, their new FIDO compliant U2F security key.  Although I have relied on LastPass for two-factor authentication, I have decided to add  a U2F key to the mix for redundancy.  This way if I lose access to LastPass for some reason, I have another method to unlock my accounts.

reCAPTCHA v.3 – Google has also updated their reCAPTCHA to version 3, which is based on modeling the way that users interact with a site, including things such as keyboard cadence, mouse patterns, and geo-location information.  This will mean no more solving “I am not a robot” puzzles on website where this feature is deployed.  If you are a web developer or site operator who is interested in this feature, Google has information for you on their website.

Account sign-in enhancements – This new feature will use location and behavior information to detect and prevent fraudulent log-in attempts by people who are not you.  Sign-in activity is analyzed and access is granted only when Google decides the log-in is really from you.  This new feature will rely on JavaScript to work, so if you are one of the people who has disabled JavaScript in your web browser, you will need to enable it for Google,  Without JavaScript, Google will be unable to determine if it is really you , and will deny access.

If google determines that your account was fraudulently accessed, you will need to confirm recovery information such as phone numbers, email addresses, or knowledge based questions and answers for unauthorized changes.  You will also be asked to look for unauthorized financial activity on your account, or unauthorized access  to Google Drive or third party sites where you use Google to log in.  You can see what options are available for you on Google’s “Secure a hacked or compromised account” page.

I know we just took Google to task for its Big Brother-like omnivorous surveillance and data collection practices. Google is also a bit like a nicer, gentler, lower-case big brother who looks out for you and protects you from danger.  A little bit of Jekyll, a little bit of Hyde, and pretty much unavoidable if you own an Android phone or use the Internet.  But these features are good news for those of us with Google accounts.

More information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.