Google Prompt Confirms Future of 2FA & Auth Tech
In order to strengthen security for all of its users, Google recently announced Google Prompt, a significant improvement in how they authenticate users. Google Prompt is a push notification solution that leverages the rich interface and connectivity of today’s smartphones, and Google isn’t even the first this year: Yahoo and Microsoft have both introduced similar authentication experiences. Preceding these companies, way back in October 2015, Authy launched OneTouch, an API for developers who want to integrate push 2FA in their apps. Even though they are not the first, Google Prompt still marks a milestone in another technology giant moving the internet forward in providing better security for our digital lives. Let’s dig into why this is so important.
Push notification 2FA is better
Rather than entering a one time password (OTP) token that’s generated on your phone or sent to you via SMS, users receive a smartphone notification in the same fashion Twitter, Facebook or the calendar app alerts them to an important activity. Responding to the notification leads to a simple UI asking them to respond with either a “Yes” or a “No.” As soon as the response on the phone is made, the login completes automatically.
The feature is made available with other existing 2FA options such as SMS, voice calls or smartphone OTP generators. Something Google didn’t broadcast widely is that you can also use Google Prompt to totally replace the use of passwords for frequent logins. Yahoo also actively promote the use of their push notification based authentication as a replacement for the password.
So what’s the big deal about this different login method?
With push notification 2FA, there is a direct and very secure communication between the authentication service and the smartphone application. Once the user has authenticated to the mobile application, it becomes a trusted device for authentication. Only trusted devices can be used as part of the authentication phase. With Google and other services, if you lose a device or have one stolen, you can login to your online account and remove devices you no longer want to be trusted. This is also a preferred solution over using SMS, a more common approach to 2FA, which is not as secure.
When the notification reaches your phone and you select “Yes”, the browser or device used to login continues immediately. After you type in your username and password, all you need to do is pick up your phone and touch a button. Since, frankly, this is far less annoying than entering or remembering a password, expect to see greater numbers of people adopting Google Prompt.
More informed users
As you can see in the image above, when a user receives a notification on a device, it’s very clear what is happening: Someone is trying to sign in. If you are sitting by your laptop logging into Google, and this message suddenly appears on your phone; it’s easy—just click “Yes”. But what if you’re having coffee with friends and not logging in at that moment? What if a cyber criminal, equipped with your username and password, is trying to access your Gmail account? If it isn’t you trying to access your email, the notification gives you the instant ability to thwart whoever’s attempting to login:
Want to build Google Prompt into your own applications?
Google Prompt is a great example of the future of authentication. But, what if you want to integrate it into your own applications? Google Prompt wasn’t designed for developers and businesses, it was designed for individual Google users. Same goes for Yahoo’s Account Key. They are fantastic additions to the security landscape, but they don’t greatly move the needle outside of their own respective ecosystems. Even if you want to integrate it, you lose the power to customize, shape and determine the experience for your users.
This is why we developed Authy OneTouch. Launched in October 2015, OneTouch is a service that allows you to embed an identical type of authentication into any application, but without the limitations of Google or Yahoo’s service. Let’s look at some of the advantages of deploying Authy’s OneTouch versus trying to fit Google Prompt to your needs.
The future of creating applications is leveraging stacks, frameworks, and other services. Tying all this technology together are APIs, and they are the way forward for building future technologies. However, Google Prompt isn’t an API, it’s a closed authentication flow where the entire login experience is owned by Google and requires a developer to set up and have a Google account for each of your users.
This presents a problem for use in your own application, as you lose complete control over the authentication experience. Instead of being able to intertwine authentication into your application, users are ejected from your app and are taken through the Google workflow. If Google decides to change how that works, you’re left with no choice but to defer your user’s experience to Google.
Authy in comparison is an API that can be attached to any existing authentication flow you have today. It can be used to improve security to a login that leverages an LDAP or Active Directory back end. You insert just a few lines of code directly into the areas of your application where you make the authentication decision.You can even use Authy’s OneTouch to be the primary authentication factor, but that doesn’t mean handing over the entire user identity to Authy. You retain the user data, Authy provides the increased login security.
Because Authy is an API, you can extend the service beyond just the login. Google uses Google Prompt to also ensure when a change to your account is made, the user is given the chance to approve the change. This is a great idea! Imagine if you could have a strong approval process where any transaction (money transfer, change of address, account deletion) in your application is secured by real-time notification and response with the user. You can’t do this with Google Prompt, but you can with Authy’s OneTouch because we provide a fully flexible API that enables you to embed an authentication or authorization approval request, at any point, directly into your application.
Google Prompt is unmistakably ‘Google’. They control branding, messaging and layout of the entire experience, both in your web application UI as well as the push notification itself. Logging in is the first thing users do in your application, and you should have the ability to shape that experience to fit your business needs. Having your brand absent during one of the most important points of entry to your application is not ideal. Building on an API gives you the power to determine how and when you deliver authentication, not to mention how it’s designed:
|Authy web login
(example from one of our customers)
|Google web login|
Google’s Search app on iOS, the required app for Google Prompt, requests significant permissions from the user, which include;
- User’s full Location History, which creates a map of a user’s location behaviors.
- Full web and app activity history, including your full Chrome history from other devices (if Chrome sync is turned on).
- Any activity or data that websites and your apps share with Google. This feature also collects the location you were in when the activity took place.
If you’re building software, you want to be able to manage permissions, data collection, retention, location on your own terms, not Google’s.
While Google Prompt brings a better user experience to the login, it stops short of being really informative. With Authy, you can deliver a range of information into the user experience. The examples below show how much more communication is possible with Authy. Your brand is front and center, and since it’s obvious that the messaging to approve a login is coming directly from your business, your users feel reassured and confident in taking the next step.
|Authy mobile UI||Google mobile UI|
The ultimate in total control over the user experience is having an SDK that can be embedded in your mobile applications. Another limitation with Google Prompt is that on iOS you must install the Google application to receive and present the login notification. Again, this isn’t ideal when trying to implement an improved authentication experience for your users. If you already have a mobile application, it doesn’t make sense to ask your users to download another separate app, just to login to yours. Authy gives you much more flexibility here. You can embed our Authy OneTouch Mobile SDK into any of your mobile applications and get the full security of a Google Prompt-like solution, but retain total control over the entire experience from web-app to mobile-app. To see how Authy’s service can be used to provide a very branded and easy to use authentication experience for users, take a look at the short video below.
There is a light at the end of the tunnel for improved online authentication, and it’s great to see the likes of Google, Yahoo and Microsoft adding these newer methods to their services. Yet building security into your application shouldn’t be out of the box any more than it should be rolling your own. It doesn’t make sense to bind yourself to a feature you can’t shape to your own preference (or your customer’s preference). That’s why APIs are so important—it’s about scaling, being flexible, adapting to your business needs.
With the Authy authentication service, you don’t need to be a technology giant with large security development teams to offer high levels of user account security. Our cloud-based API abstracts all the complexity, security, and scale of such authentication solutions while giving you full control over how it’s used in your application.