Google is making another push on two-step verification for G Suite users by making its phone prompts the default login authentication method, displacing less secure methods like SMS and voice codes. The new policy takes effect the same day those prompts will start appearing on every device a user is signed into.
From July 7, anyone signing into their G Suite account on a new device will be subject to receive a prompt on all phones they are currently signed into. Users may elect to use a less secure authentication method by clicking the "More ways to sign in" link on the login page, but not after the prompt is sent out to their associated devices.
In order to prevent a prompt from showing up on a device, the user must sign out of their G Suite account on that device. Admins won't be able to disable prompts unless they start requiring security keys or turn off 2SV altogether.
The prompts, of which the concept debuted back in 2016, are similar to, but not exactly the same ones that general users receive: information about the login attempt such as device OS version and location is displayed, but in addition to a yes/no choice, users may have to tap a number on their phone that matches the one shown on the login page.
In our story about the new prompts mandate for general users last week, we noted concerns from users who may need to be signed into multiple phones in different places at once — having the potential for any device to authenticate a login may pose a vulnerability for them.
I only have it enabled on my main phone.
I frequently have my kids use my devices, like tablets, without logging them into their own Google accounts, so now unless I disable this feature entirely they'd be able to tap Yes on 2FA sign-in prompts just to get the pop-up to go away.
— Artem Russakovskii (@ArtemR) June 9, 2020
G Suite account holders who have registered a security key — be it a USB dongle or a phone — will still need to use it as their primary or only authentication method, depending on organization rules.