BYOD and off-premise access to on-prem and/or behind-the-firewall resources is a huge problem for IT security.
Google has been testing new/different/alternative ways for their customers to authenticate (i.e., identify themselves). The addition of your phone into multi-factor authentication (MFA) is not new. What is slightly new is how the phone is used. Google authenticator (the “standard” way of adding your phone to MFA) is a pain – who wants to type in a number? There’s no password on Google Authenticator.
This new experiment relies on possession of the phone to enable access. An interesting concession to convenience.
Here’s my (free to use) suggestion for phone-based MFA:
- authentication request pushes notification to phone
- open alert takes you to the New and Improved Google Authenticator
- Fingerprint authentication required for the Google Authenticator app
- BIG BUTTON that reads “Do you want to login to Application X?”
- Tap yes
Dear Google – off you go to implement please.