G Suite admins can now ban staff from using insecure SMS for two-factor authentication

Google is rolling out an update for its G Suite business products that lets admins disable the use of SMS and voice verifications codes for 2-factor authentication.   Google for its part recommends organizations use hardware security keys such as its Titan keys or Yubico’s keys, however the company says it introduced the ability to block SMS verification due to demand from admins who are increasingly aware of the weaknesses in relying on SMS.  “As awareness of the potential vulnerabilities associated with SMS and voice codes has increased, some admins asked us for more control over the ability to use phone-based 2-Step Verification methods within organizations,” Google said in a blog today.  As it notes in a support document, using text messages to receive verification codes is “discouraged” because “they rely on external carrier networks and might be intercepted”.  One such attack is known as “SIM swapping”, where an attacker impersonates a carrier’s customer and convinces an employee to transfer the victim’s number to the imposter.    Google last year reported that none of its 85,000 employees had been successfully phished since it mandated all employees use physical security keys.  Admins can ban the use of SMS and voice codes by changing the Setting in the Admin console to allow any 2-step verification methods except verification codes via text or phone call.

Read full news article on CSO