FB pixel

Google commits to more MFA and passkeys

Details alignment with CISA’s Secure by Design Pledge
| Chris Burt
Categories Access Control  |  Biometrics News  |  Mobile Biometrics
Google commits to more MFA and passkeys
 

Google is committing to multi-factor authentication as a central pillar in its cybersecurity strategy for consumers and enterprises, with passkeys as one of its main tools for strengthening account security. The Department of Homeland Security’s cybersecurity agency surely approves, as Google’s commitments follow both its recent and newly published guidance.

The tech giant has enumerated seven ways it is implementing the Secure by Design Pledge. The Pledge was formulated by the U.S. Cybersecurity & Infrastructure Security Agency (CISA) earlier this year, and Google is one of more than 200 signatories, according to the blog post.

A white paper describing “An Overview of Google’s Commitment to Secure by Design” provides details.

MFA is prominent among Google’s measures, including its shift towards passkeys for passwordless authentication. Default passwords are not treated by the company as a vulnerability, and are not pre-configured for Google devices.

The other measures include quick, automatic security patches, vulnerability disclosures and a Vulnerability Rewards Program, security bulletins for Common Vulnerabilities and Exposures (CVEs) and security checkups and audit tools to look for evidence of intrusions.

Bad Practice makes imperfect

MFA also features prominently in new guidance from CISA on what not to do, based on CISA’s Secure by Design initiative.

CISA is currently seeking feedback on its “Product Security Bad Practices” guidance.

The agency urges organizations to avoid development in “memory unsafe languages,” like C or C++, or user-provided input into SQL query or OS command strings. Default passwords are also identified as a bad security practice.

CISA warns organizations not to use open-source software components with known vulnerabilities, or to flout their responsibility to publish CVEs in a timely manner.

MFA should be enabled by default for administrator accounts by January 1, 2026, giving hackers a deadline to attack a relatively common bad practice.

The comment period ends on December 2, 2024.

Related Posts

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News

 

ID4Africa vendors see Africa leapfrogging legacy digital identity systems

The annual ID4Africa AGM is a major world event in identity – a must-attend for many biometrics providers working on…

 

Gataca boosts age assurance pitch with certification to ISO standard by ACCS

Madrid-based Gataca is now certified as a provider of privacy-preserving age assurance following an independent assessment. The company successfully completed…

 

BixeLab testing activity highlights expansion of biometric assurance

As digital identity systems evolve, biometric testing labs are increasingly becoming central to trust, compliance and interoperability. BixeLab’s recent activity…

 

Apple removes Russian digital ID app Max from its stores citing sanctions

Apple has removed Russian state-backed messaging and digital ID platform Max from its official App Store, affecting more than 20…

 

G7 backs privacy-preserving age assurance as Japan proposes social media access limits

Japan is considering new restrictions on minors’ access to social media while stopping short of blanket age bans. While countries…

 

Digital company ID could save UK financial sector £1.7B: CFIT

A UK initiative to create a reusable digital identity credential for businesses could save financial institutions £1.7 billion (US$2.2 billion)…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Continue Reading

Biometric Market Analysis and Buyer's Guides

Most Viewed This Week

Featured Company

Learn More

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events