Google just added a new method to their two-step verification security layer implementation, allowing users to merely tap “OK” from within the Google app on their mobile phones to authorize a login:

We know that security is one of your top concerns as a Google Apps admin and that many of you require your employees to turn on 2-Step Verification (2SV) to keep their accounts safe. There are multiple ways your end users can approve sign-in requests via 2SV—by tapping a Security Key, by entering a verification code sent to their phone or, starting today, by approving a prompt like the one below that will pop up on their phone.

Your employees can now choose any of these options in the Sign-in & Security > Signing in to Google > 2-Step Verification section of My Account. The Help Center will be updated with detailed instructions soon; check back here for links to the relevant articles.

The only rather obvious requirement is the phone must have a data connection to receive the notification for approval. This is a smart alternative to SMS-based two-step verification, because the SMS messages themselves can be surveilled, redirected, or stolen, in-transit.

According to security researchers, two-factor authentication is a key component of a solid cyber defense strategy against the current techniques used by cyber espionage actors (emphasis added):

The main tactic used by TG-3390 is to use strategic web compromises or watering-hole attacks to infect their targets, although in one case it has been seen to use a spear phishing attack.

The CTU believes it is seeing just a fraction of TG-3390’s activity, but even in this limited view, it has discovered that the group has infected the websites of 100 organisations across the globe to ensnare its targets.

These compromised websites include a defence manufacturing firm based in Spain, large manufacturing companies, energy companies, embassies, non-governmental organisations focused on international relations, and defence and government organisations.

The researchers said TG-3390 knows exactly which websites their targets are visiting and, as a result, have specifically targeted and compromised 50 entities based in the US and the UK, including auto, electronic, aircraft, pharmaceutical, and oil and gas manufacturers. The group has also compromised educational institutions, law firms, defence contractors and political organisations.

The group placed code on each site that redirected visitors to a malicious site, and if the visitor had an IP address that was of interest, the computer user would be served an exploit kit the next time they returned to the compromised site.

ZDNet on how a CIA-backed startup discovers federal agency employees logon credentials and passwords have been leaked online:

A CIA-backed startup has discovered login credentials and passwords for 47 US government agencies littered across the Internet — leaving federal agencies potentially at risk of cyberattack.

Recorded Future, a Boston-based data mining firm backed by the CIA’s venture capital arm, said in a research report that credentials belonging to 47 US government agencies have been found across 89 unique domains.

Two-factor authentication is an option offered by various online services, including Facebook, Gmail and PayPal, to heighten individual security and provide a second layer of defense. As passwords are far from the most secure way to protect and authenticate an account, if credentials are stolen, two-factor authentication — such as linking a mobile phone to your account — can be used to prevent unauthorized entry.

However, as of early 2015, 12 of the US agencies — including the Departments of State and Energy — which have lost credentials online do not stipulate the use of two-factor authentication when users access their systems. As credentials have been leaked, this leaves these departments open to unauthorized access.

It is unbelievable in 2015 that federal agencies are not mandating two-factor authentication for, at the absolute very least, user and privileged user logon. DoD implemented this requirement almost ten years ago. That the rest of the US government is so far behind the power curve is astonishing.

Fahmida Rashid of Security Week on Docomo, Japan’s largest mobile service provider opting to ditch passwords in favor of forms of bio-metrics:

Starting Wednesday, NTT DoCoMo customers with smartphones capable of handling biometric authentication will be able to access several online services using iris recognition or fingerprint authentication, the company said. The company offers four smartphones with biometric authentication, including the Galaxy S6 Edge SC-04G, Galaxy S6 SC-05G, Arrows NX F-04G and Aquos Zeta SH-03G. The Arrows NX F-04G has an iris scanner which can authenticate the user.

NTT DoCoMo will support biometric authentication based on protocols developed by the FIDO Alliance, a consortium of technology companies and financial services firms trying to strengthen authentication by creating protocols and standards which don’t rely on passwords. The protocols rely on the combination of hardware, software, and services, and are designed to be interoperable across different networks and devices.

This effort is only aimed at Android-based phones sold only by Docomo. How long before KDDI and Softbank follow suit?