FB pixel

Google commits to more MFA and passkeys

Details alignment with CISA’s Secure by Design Pledge
Google commits to more MFA and passkeys
 

Google is committing to multi-factor authentication as a central pillar in its cybersecurity strategy for consumers and enterprises, with passkeys as one of its main tools for strengthening account security. The Department of Homeland Security’s cybersecurity agency surely approves, as Google’s commitments follow both its recent and newly published guidance.

The tech giant has enumerated seven ways it is implementing the Secure by Design Pledge. The Pledge was formulated by the U.S. Cybersecurity & Infrastructure Security Agency (CISA) earlier this year, and Google is one of more than 200 signatories, according to the blog post.

A white paper describing “An Overview of Google’s Commitment to Secure by Design” provides details.

MFA is prominent among Google’s measures, including its shift towards passkeys for passwordless authentication. Default passwords are not treated by the company as a vulnerability, and are not pre-configured for Google devices.

The other measures include quick, automatic security patches, vulnerability disclosures and a Vulnerability Rewards Program, security bulletins for Common Vulnerabilities and Exposures (CVEs) and security checkups and audit tools to look for evidence of intrusions.

Bad Practice makes imperfect

MFA also features prominently in new guidance from CISA on what not to do, based on CISA’s Secure by Design initiative.

CISA is currently seeking feedback on its “Product Security Bad Practices” guidance.

The agency urges organizations to avoid development in “memory unsafe languages,” like C or C++, or user-provided input into SQL query or OS command strings. Default passwords are also identified as a bad security practice.

CISA warns organizations not to use open-source software components with known vulnerabilities, or to flout their responsibility to publish CVEs in a timely manner.

MFA should be enabled by default for administrator accounts by January 1, 2026, giving hackers a deadline to attack a relatively common bad practice.

The comment period ends on December 2, 2024.

Related Posts

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News

 

iProov, iiDENTIFii help Standard Bank create network of trust

It’s one thing to know your customer, and another thing to know your customer is real. As GenAI becomes a…

 

World to spend $26B on IDV checks by 2029: Juniper

By 2029, the total global spend for digital identity verification checks will spike by 74 percent to reach $26 billion,…

 

Regula to replace SumSub as face biometrics provider for Maldives

Regula Forensics has been granted the contract to provide face recognition for the Maldives’ national digital identity, eFaas, after the…

 

UK student IDs now supported by Yoti digital identity apps

Yoti has added support for school IDs to its digital ID apps so students can more easily prove their status…

 

Ecommerce is losing money to fraud – and looking towards biometrics

Fraud losses continue to plague ecommerce and online payments, with Juniper releasing the latest sobering statistics on merchant losses. Behavioral…

 

UK govt publishes $25M tender for live facial recognition

UK’s law enforcement agencies are seeking live facial recognition (LFR) suppliers in a new tender worth up to £20 million…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events