FB pixel

Google commits to more MFA and passkeys

Details alignment with CISA’s Secure by Design Pledge
| Chris Burt
Categories Access Control  |  Biometrics News  |  Mobile Biometrics
Google commits to more MFA and passkeys
 

Google is committing to multi-factor authentication as a central pillar in its cybersecurity strategy for consumers and enterprises, with passkeys as one of its main tools for strengthening account security. The Department of Homeland Security’s cybersecurity agency surely approves, as Google’s commitments follow both its recent and newly published guidance.

The tech giant has enumerated seven ways it is implementing the Secure by Design Pledge. The Pledge was formulated by the U.S. Cybersecurity & Infrastructure Security Agency (CISA) earlier this year, and Google is one of more than 200 signatories, according to the blog post.

A white paper describing “An Overview of Google’s Commitment to Secure by Design” provides details.

MFA is prominent among Google’s measures, including its shift towards passkeys for passwordless authentication. Default passwords are not treated by the company as a vulnerability, and are not pre-configured for Google devices.

The other measures include quick, automatic security patches, vulnerability disclosures and a Vulnerability Rewards Program, security bulletins for Common Vulnerabilities and Exposures (CVEs) and security checkups and audit tools to look for evidence of intrusions.

Bad Practice makes imperfect

MFA also features prominently in new guidance from CISA on what not to do, based on CISA’s Secure by Design initiative.

CISA is currently seeking feedback on its “Product Security Bad Practices” guidance.

The agency urges organizations to avoid development in “memory unsafe languages,” like C or C++, or user-provided input into SQL query or OS command strings. Default passwords are also identified as a bad security practice.

CISA warns organizations not to use open-source software components with known vulnerabilities, or to flout their responsibility to publish CVEs in a timely manner.

MFA should be enabled by default for administrator accounts by January 1, 2026, giving hackers a deadline to attack a relatively common bad practice.

The comment period ends on December 2, 2024.

Related Posts

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News

 

Madagascar considers bids for €8.5M digital ID contract

Madagascar is reportedly in the final stages of selecting a biometrics supplier for a project to modernize the country’s civil…

 

Fraud rings exploit federal weaknesses as Washington falls behind

A new report from identity verification company Socure provides a grim but necessary wake-up call to the federal government: sophisticated…

 

Verifiable Credentials 2.0 now a W3C Standard

The World Wide Web Consortium (W3C) Verifiable Credentials Working Group has published seven W3C Recommendations, including Verifiable Credentials Data Model…

 

Veriff opens technology hub in São Paulo, Brazil

Veriff has expanded into Latin America with the opening of its Veriff Americas headquarters in São Paulo, Brazil. The Estonia-headquartered…

 

World moves further into Asia with new Thailand manager on heels of US launch

“Like a Rolling Orb” may not have the same ring to it as Bob Dylan’s anthem, but that’s not stopping…

 

Alarming gains in face reconstruction from biometric templates made by researchers

Biometric template security is critical to the data integrity and privacy the industry needs to thrive, and template inversion attacks…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Continue Reading

Biometric Market Analysis

Most Viewed This Week

Featured Company

Learn More

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events