FB pixel

Google commits to more MFA and passkeys

Details alignment with CISA’s Secure by Design Pledge
| Chris Burt
Categories Access Control  |  Biometrics News  |  Mobile Biometrics
Google commits to more MFA and passkeys
 

Google is committing to multi-factor authentication as a central pillar in its cybersecurity strategy for consumers and enterprises, with passkeys as one of its main tools for strengthening account security. The Department of Homeland Security’s cybersecurity agency surely approves, as Google’s commitments follow both its recent and newly published guidance.

The tech giant has enumerated seven ways it is implementing the Secure by Design Pledge. The Pledge was formulated by the U.S. Cybersecurity & Infrastructure Security Agency (CISA) earlier this year, and Google is one of more than 200 signatories, according to the blog post.

A white paper describing “An Overview of Google’s Commitment to Secure by Design” provides details.

MFA is prominent among Google’s measures, including its shift towards passkeys for passwordless authentication. Default passwords are not treated by the company as a vulnerability, and are not pre-configured for Google devices.

The other measures include quick, automatic security patches, vulnerability disclosures and a Vulnerability Rewards Program, security bulletins for Common Vulnerabilities and Exposures (CVEs) and security checkups and audit tools to look for evidence of intrusions.

Bad Practice makes imperfect

MFA also features prominently in new guidance from CISA on what not to do, based on CISA’s Secure by Design initiative.

CISA is currently seeking feedback on its “Product Security Bad Practices” guidance.

The agency urges organizations to avoid development in “memory unsafe languages,” like C or C++, or user-provided input into SQL query or OS command strings. Default passwords are also identified as a bad security practice.

CISA warns organizations not to use open-source software components with known vulnerabilities, or to flout their responsibility to publish CVEs in a timely manner.

MFA should be enabled by default for administrator accounts by January 1, 2026, giving hackers a deadline to attack a relatively common bad practice.

The comment period ends on December 2, 2024.

Related Posts

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News

 

Google Wallet supports Aadhaar verifiable credentials in India

Google has added support for Aadhaar Verifiable Credentials in India, allowing users to store and present their digital Aadhaar ID…

 

India scales farmer ID system for payments with KPMG support

The India office of influential accounting firm KPMG has explained how it supported the advancement of the country’s Digital Agriculture…

 

Digital ID systems fail migrants due to policy gaps, Caribou finds

A new report by research organization Caribou has warned that digital ID systems around the world have continued to deepen…

 

Hopae launches eIDAS 2.0, AMLR onboarding readiness tool

Hopae has launched a free self-assessment tool to help financial institutions offering customer onboarding and identity verification to evaluate their…

 

Certainty vs flexibility – does the UK need a Biometric Surveillance Act?

By Professor Fraser Sampson, former UK Biometrics & Surveillance Camera Commissioner Last week London became a city of two tales. Two…

 

TestMu AI releases testing tool for agent-produced code

TestMu AI (formerly LambdaTest) has launched Kane CLI, “a new browser automation tool that runs directly from the terminal,” and…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Continue Reading

Biometric Market Analysis and Buyer's Guides

Most Viewed This Week

Featured Company

Learn More

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events