Google pushing users away from insecure SMS two factor authentication

Google recognized some time ago that two factor authentication by SMS is insecure, due to the possibily of the SMS being intercepted, in particular using SS7-based attacks. Google had introduced an alternative 2FA system based on software built into its Android operating system (or via the Google Search app on IOS) some time ago.

According to various media reports, in the coming days Google will start pushing users with SMS-based 2FA towards the new software based 2FA system to take SMS tokens and the associated risks out of the picture.

This is presumably in response to an increased number of SS7-based SMS token interceptions, which can result in Google email account takeovers by attackers.

The National Institute of Standards and Technology (NIST) had issued a guideline a year ago suggesting that US federal government agencies move away from SMS-based two factor authentication which is deemed insecure.

SMS token interception is part of the 30+ test cases covered by the  Telecom Defense Limited Company’s remote SS7 vulnerability assessment performed on mobile networks.