just a recap of what google 2 step verification is likeGoogle Is Replacing SMS Codes with Mobile Prompts in 2SV OverhaulGoogle wants you to upgrade to a better form of two-factor authentication: invitations will be going out next week for a prompt-based 2SV system that will replace the current SMS-based variety. The company believes that the new method is far more secure, being that it runs through Google Play Services and cannot be intercepted: in order to defeat this security, someone would have to steal your phone that is registered to accept 2FA prompts from Google.
Starting next week, 2-SV SMS users will see an invitation to try Google prompts when they sign in. The invitation will give users a way to preview the new Google prompts sign in flow instead of SMS, and, afterward, choose whether to keep it enabled or opt-out. Overall, this is being done because SMS text message verifications and one-time codes are more susceptible to phishing attempts by attackers. By relying on account authentication instead of SMS, administrators can be sure that their mobile policies will be enforced on the device and authentication is happening through an encrypted connection.
https://www.hardocp.com/news/2017/07/15 ... v_overhaul
[youtube=]XtBiH-srAow[/youtube]
As for why google are doing this refer to this
Standards body warned SMS 2FA is insecure and nobody listened
Duo Security says NIST's advice to deprecate out-of-band passwords has been ignored
By Darren Pauli 6 Dec 2016
The US National Institute of Standards and Technology's (NIST) advice that SMS is a poor way to deliver two factor authentication is having little impact, according to Duo Security.
Last July NIST declared that sending one-time passwords to mobile phones was insecure.
The organisation wrote in its advisory that the likelihood of interception makes TXT unreliable.
"Due to the risk that SMS messages or voice calls may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators," NIST wrote at the time.
"Out-of-band authentication using [SMS or voice] is deprecated, and is being considered for removal in future editions of this guideline."
NIST stated organisations using SMS for two factor authentication must verify that the supplied number is not associated with a voice-over-IP service.
But scores of organisations use SMS for verification. Google offers it as a fall-back service in place of secure mechanism like its Authenticator app and hardware dongles, as do Twitter, Facebook, and scores more.
Duo Security's Mayank Saha says the statement has had virtually no impact some six months after its announcement according statistics about the use of SMS among its clients.
The firm's customers include NASA, Facebook, Toyota, and Etsy, plus organisations in the government, health, and education sectors.
"Prior to the declaration, we were seeing roughly six to eight percent of two factor traffic in use with our service via the SMS method … after the announcement was made we’ve seen a similar percentage," Saha says.
"There is a notable lack of significant change to the rate of decline after the release of the revised NIST guidelines."
Saha says SMS has this year slowly fallen out of favour with clients but that the NIST advice did nothing to accelerate that rate.
He says push-based authentication which NIST recommends and Google deployed in June is more user friendly and secure than SMS, as are U2F dongles which require users to insert USB sticks into logging in devices. Google also uses the latter login mechanism and plugged it in a recent study Security Keys: Practical Cryptographic Second Factors for the Modern Web [PDF].
SMS authentication is the most universal and arguably useable method of two factor login, primarily because it requires only a phone bearing the right SIM card.
It is easy to subvert, however; attackers with basic target information can easily trick phone companies into porting numbers after passing identity checks. This has been used by fraudsters to ensure banks' transfer warning SMS never reach victims.
The NIST guidance comes some four years after Australia's private sector Communications Alliance lobby group ruled SMS as unsafe for two factor authentication.
https://www.theregister.co.uk/2016/12/0 ... d_warning/
to my understanding, the google authenticator generates the code on the app already installed on your smartphone, and is synced with your device. This then avoids the sms issue, since the code generated is from your smartphone only. So i guess this sms replacement, is for their fallback options which shouldn't be used to begin with
PS: qnap uses google authenticator 2 step, which is good