Tag Archives: identity

Use an Android phone as a security key for 2-Step Verification

This announcement was made at Google Cloud Next ‘19 in San Francisco. Check out Next OnAir to tune into the livestream or watch session recordings following the event.


What’s changing

We’re adding an option to use your Android phone’s built-in security key for multi-factor authentication in G Suite. All phones running Android 7.0+ (Nougat) have a built-in key which can be activated. This means your users can use existing phones as a primary 2-Step Verification method to protect against phishing. Using a phone as a security key is currently offered in beta.

Who’s impacted 

Admins and end users

Why you’d use it 

2-Step Verification greatly improves the security of your account by adding another layer to your account security and making it more resistant to phishing attacks. By adding the additional option of using your Android phone’s built-in security key, we’re expanding access to phishing-resistant 2-Step Verification method in a convenient form - your phone. This can make it faster for you to implement 2-Step Verification in your organization while keeping user training and overall costs to a minimum. 

Previously, in order to protect your users against password phishing, the only option was to use a security key fob. With this beta, their mobile phone can be that security key.

How to get started 




Additional details 


  • Available to G Suite, Cloud Identity, GCP customers, and personal Google Accounts. 
  • Available on phones running Android 7.0+ (Nougat) with Google Play Services. 
  • Compatible with Bluetooth-enabled Chrome OS, macOS X, or Windows 10 devices with a Chrome browser. 



2-Step Verification on a Pixel 3 

Helpful links 




Availability 

Rollout details



G Suite editions 

  • Available to all G Suite editions in beta. 


On/off by default? 

  • If 2-Step Verification or Security Key Enforcement is turned on for an organization, Android phone will be available as an option for security keys by default.


Stay up to date with G Suite launches

New 2-Step Verification options for G Suite accounts

What’s changing 

We’re updating how 2-Step Verification works for G Suite. This will make new 2-Step Verification methods available for some devices, and update the 2-Step Verification user interface on mobile and desktop devices. There are three key impacts:

  • New 2-Step Verification interfaces 
  • Different screens on different browsers (Safari, Edge, etc.) 
  • Expanded Bluetooth security key support 


Who’s impacted 

Admins and end users

Why you’d use it 

We hope that these updates make 2-Step Verification easier to use. 2-Step Verification puts an extra barrier between your business and cybercriminals who want to access business data. Turning on 2-Step Verification is the single most important thing you can do to make your accounts more secure and protect your business.

How to get started 




Additional details 

New 2-Step Verification interfaces: You may see new illustrations, text, and instructions in the images, dialogs in the 2-Step Verification flows when using a bluetooth or usb security key. See images below for examples of the types of changes.

Different screens on different browsers: You may see different flows on Chrome, Safari, Firefox, Edge, and other browsers. Previously the service provider (Google) was responsible for showing these dialogs. Now the web browser is responsible. As a result, the flow may be different on each browser.

Expanded Bluetooth security key support: Bluetooth keys will start rolling out, and can be enabled with a flag on Linux.


The new 2-Step Verification screen on Google Chrome browser 


The old 2-Step Verification screen 

Helpful links 

Help Center: Protect your business with 2-Step Verification

Availability 

Rollout details 



G Suite editions
Available to all G Suite editions.

On/off by default? 
The updated user interface will be ON by default.

Stay up to date with G Suite launches

Disable SMS or voice codes for 2-Step Verification for more secure accounts

What’s changing 

We’re adding an option for admins to disable telephony options as 2-Step Verification methods for G Suite accounts in their domain. This option will prevent their users from using SMS and voice codes for 2-factor authentication.

Who’s impacted 

Admins only

Why you’d use it 

There are many forms of 2-Step Verification—from text (SMS) message codes, to the Google Authenticator app, to hardware second factors like security keys. And while any second factor will greatly improve the security of your account, we’ve long advocated the use of security keys for those who want the strongest account protection.

As awareness of the potential vulnerabilities associated with SMS and voice codes has increased, some admins asked us for more control over the ability to use phone-based 2-Step Verification methods within organizations. The present release does just that - admins get a policy that can enforce the use of multi-factor authentication without permitting SMS and voice verification codes. 

This new policy gives admins more control over the security methods used in their domain, and increases the security of user accounts and associated data.

How to get started 


  • Admins: Apply the new policy by changing the setting at Admin console > Security > Advanced security settings > Allowed two step verification methods
  • End users: No action needed unless admin changes configuration. 

2-factor authentication options in the G Suite Admin console 


Additional details


How users can configure 2-Step Verification once the policy is enforced 
Users with the new policy applied will not be able to add SMS or voice based codes as an option - either when enrolling in 2-Step Verification for the first time or later at myaccount.google.com. A user enrolling in 2-Step Verification for the first time will see the screen below. This first provides an option to set up Google Prompt, as well as ‘Choose another option’ which will let them add a Security Key instead.


Avoid user sign-in issues 
Users affected by the new policy who have SMS/Voice as the only 2SV method on their account will not be able to sign in. To avoid this lock-out situation, see our Help Center to get tips for how to ensure a smooth transition to an enforcement policy.

Helpful links 



Availability 

Rollout details 
G Suite editions 
Available to all G Suite editions

On/off by default? 
The new policy is not enabled by default. Admin needs to explicitly choose to apply this policy on a OU / Group basis, like the other existing 2SV enforcement policies.

Stay up to date with G Suite launches

Secure LDAP now generally available to simplify the management of traditional applications

We’re making secure LDAP generally available. See our post on the Google Cloud Blog for the full announcement, or read a summary of what this means for G Suite organizations below.

Secure LDAP lets you manage access to traditional LDAP-based apps and IT infrastructure using the G Suite identity and access management (IAM) platform. This means organizations can use a single user directory to manage access to both SaaS apps and traditional LDAP-based apps and IT infrastructure, and users can use the same login credentials for more apps and services. The benefits to your organization can include:


  • Simpler administration: Manage applications and users in one place, decreasing complexity and cost for IT teams. 
  • Improved security: A single place to set up identity and access policies. 
  • Minimized legacy infrastructure: Reduce your dependency on legacy identity infrastructure such as Microsoft Active Directory. 


Using secure LDAP doesn’t change end user workflows—applications and IT infrastructure that use LDAP can be simply reconfigured to use the secure LDAP service.

Works with a wide range of apps and IT infrastructure 

Virtually any app that supports LDAP over SSL can work with secure LDAP, whether it’s hosted on-premises or in the cloud. We’re actively working with many companies to validate their apps for this use case, including Aruba Networks (HPE), Atlassian, itopia, JAMF, Jenkins (Cloudbees), OpenVPN, Papercut, pfSense (Netgate), Puppet, Softerra, Sophos, Splunk, and Synology.

For more information, see our Cloud Blog post on the announcement. You can also check out our Help Center for more details on how to get started with the secure LDAP service.

Launch Details 
Release track:
Launching to both Rapid Release and Scheduled Release

Editions: 
Available to G Suite Enterprise, G Suite Enterprise for Education, G Suite for Education, and Cloud Identity Premium editions only

Rollout pace: 
Gradual rollout (up to 15 days for feature visibility)

Impact: 
Admins only

Action: 
Admin action suggested/FYI

More Information
Help Center: About the Secure LDAP service
Google Cloud Blog: Cloud Identity now provides access to traditional apps with secure LDAP


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Changes to the Google sign-in interface coming soon

Starting November 27th, 2018, we’ll make some small changes to the appearance of the Google sign-in page. These follow changes made earlier this year, which updated the sign-in page to match the Material Design principles used in other Google products.

Specifically, you might notice outlines around some entry fields, and changes to the spacing and styling of other text on both the web and mobile screens. The changes will start to take effect on November 27th and may take up to two weeks to reach all users.

See the new sign-in UI 

Sign-in page that will start rolling out on November 27, 2018

Sign-in page prior to November 27, 2018


Launch Details 
Release track:
Launching to both Rapid Release and Scheduled Release 

Editions: 
Available to all G Suite editions

Rollout pace: 
Gradual rollout (up to 15 days for feature visibility)

Impact: 
All end users

Action: 
Change management suggested/FYI

Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Update: new Google sign-in screen launching this week

Last month, we announced a new look for the Google sign-in screen. Unfortunately, due to unforeseen delays, we’re now rolling out the new design this week, with some minor changes.

Going forward, you may notice that when you sign in to your G Suite account, the screen looks slightly different. Some of the changes include tweaks to the Google logo and center alignment of all items on the screen. See below for before and after images.

Previous Google sign-in screen

New Google sign-in screen


Please note that the outline around the text field (mentioned in our previous announcement) will appear in the coming months.

We apologize for any convenience this delay and change may have caused.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release

Editions:
Available to all G Suite editions

Rollout pace:
Gradual rollout (up to 15 days for feature visibility)

Impact:
All end users

Action:
Change management suggested/FYI


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

A new look for Google sign-in screens on June 14th

In 2014, we introduced Material Design, a visual language that helps developers create intuitive and beautiful products. Since then, we’ve steadily updated our G Suite apps to adhere to Material principles. Next week, we’ll bring this same design to Google sign-in screens.

Starting on June 14th, 2018, you may notice that when you sign in to your G Suite account, the screen looks slightly different. Some of the changes will include tweaks to the Google logo, an outline around the text field, and center alignment of all items on the screen. See below for before and after images.

Current Google sign-in screen with left-aligned text

Current Google sign-in screen

New Google sign-in screen with center-aligned text

New Google sign-in screen

If necessary, please provide your users advance notice of these changes.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release on June 14th, 2018

Editions:
Available to all G Suite editions

Rollout pace:
Gradual rollout (up to 15 days for feature visibility)

Impact:
All end users

Action:
Change management suggested/FYI


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Coming May 7th, 2018: A more secure sign-in flow on Chrome

If your organization uses SAML to sign users in to G Suite services*, those users will soon see an additional step in the process when using Chrome as their web browser. Starting on May 7th, 2018, after signing in on a SAML provider’s website, they’ll be brought to a new screen on accounts.google.com to confirm their identity. This screen will provide an additional layer of security and help prevent users from unknowingly signing in to an account created and controlled by an attacker.


To minimize disruption for the user, this feature will only be shown once per account per device. We’re working on ways to make the feature even more context-aware in the future, meaning your users should see the screen less and less over time.

Protecting against phishing attacks
This new screen is intended to prevent would-be attackers from tricking a user (e.g. via a phishing campaign) into clicking a link that would instantly and silently sign them in to a Google Account the attacker controls. Today, this can be done via SAML single sign-on (SSO), because it doesn’t require a user interaction to complete a sign-in. To protect Chrome users, we’ve added this extra protection.

Creating a consistent identity
This new security feature is part of a larger project to create a consistent identity across Google web services (like Gmail) and native Chrome browser services (like Chrome Sync). This consistency will make it easier for signed-in G Suite users to take advantage of native Chrome browser features, but it requires additional protection during authentication. This new screen adds that protection and reduces the probability that attackers successfully abuse SAML SSO to sign users in to malicious accounts.

Disabling the new screen
If you wish to disable the new screen for your organization, you can use the X-GoogApps-AllowedDomains HTTP header to identify specific domains whose users can access Google services. Users in those domains won’t see this additional screen, as we assume those accounts are trusted by your users. This header can be set in Chrome via the AllowedDomainsForApps group policy.


*This won't impact individuals who sign in to G Suite services directly and those who use G Suite or Cloud Identity as their identity provider. The screen is also not shown on devices running Chrome OS.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release on May 7th, 2018

Editions:
Available to all G Suite editions

Rollout pace:
Extended rollout (potentially longer than 15 days for feature visibility)

Impact:
All end users

Action:
Change management suggested/FYI


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Receive Google prompts on iOS devices via the Gmail app

In 2017, we made Google prompt the primary choice for G Suite users turning on two-step verification for the first time. Back then, we noted that users with iOS devices would need to install the Google app in order to use the feature. Today, we’re making it possible for users with iOS devices to receive prompts via their Gmail app as well. This should encourage more people to use Google prompt, which is an easier and more secure method of authenticating an account.


Note that if users have both the Google and Gmail app installed on their iOS device, they’ll see prompts from Gmail.

For more information, visit the Help Center.

Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release

Editions:
Available to all G Suite editions

Rollout pace:
Extended rollout (potentially longer than 15 days for feature visibility)

Impact:
All end users

Action:
Change management suggested/FYI

More Information
Help Center: Sign in faster with 2-Step Verification phone prompts

Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates

Making Google prompt the primary choice for 2-Step Verification

In July, we began inviting users to try Google prompt as their 2-Step Verification (2SV) method, instead of SMS text messages. Google prompt is an easier and more secure method of authenticating an account, and it respects mobile policies enforced on employee devices.


With that in mind, we’re now making Google prompt the first choice when users turn on 2SV (previously, SMS was the primary choice). Once 2SV is enabled, users will still have the option to set up SMS, the Google Authenticator app, backup codes, or Security Keys as their alternative second step.


This will only impact users who have not yet set up 2SV. Current 2SV users' settings will be unaffected. In addition, if a user attempts to set up 2SV but doesn’t have a compatible mobile device, he or she will be prompted to use SMS as their authentication method instead.

Users can set up 2SV from their My Account page.

A few things to note:
  • A data connection is required to use Google prompt.
  • Users with iOS devices will need to install the Google app in order to use Google prompt.
  • G Suite Enterprise domains can choose to enforce Security Keys to meet more advanced security requirements.


Launch Details
Release track:
Launching to both Rapid Release and Scheduled Release

Editions:
Available to all G Suite editions

Rollout pace:
Gradual rollout (up to 15 days for feature visibility)

Impact:
All end users

Action:
Change management suggested/FYI

More Information
Help Center: Sign in faster with 2-Step Verification phone prompts


Launch release calendar
Launch detail categories
Get these product update alerts by email
Subscribe to the RSS feed of these updates