Wednesday, October 30, 2024

Google commits to more MFA and passkeys | Biometric Update

Must read

Google is committing to multi-factor authentication as a central pillar in its cybersecurity strategy for consumers and enterprises, with passkeys as one of its main tools for strengthening account security. The Department of Homeland Security’s cybersecurity agency surely approves, as Google’s commitments follow both its recent and newly published guidance.

The tech giant has enumerated seven ways it is implementing the Secure by Design Pledge. The Pledge was formulated by the U.S. Cybersecurity & Infrastructure Security Agency (CISA) earlier this year, and Google is one of more than 200 signatories, according to the blog post.

A white paper describing “An Overview of Google’s Commitment to Secure by Design” provides details.

MFA is prominent among Google’s measures, including its shift towards passkeys for passwordless authentication. Default passwords are not treated by the company as a vulnerability, and are not pre-configured for Google devices.

The other measures include quick, automatic security patches, vulnerability disclosures and a Vulnerability Rewards Program, security bulletins for Common Vulnerabilities and Exposures (CVEs) and security checkups and audit tools to look for evidence of intrusions.

Bad Practice makes imperfect

MFA also features prominently in new guidance from CISA on what not to do, based on CISA’s Secure by Design initiative.

CISA is currently seeking feedback on its “Product Security Bad Practices” guidance.

The agency urges organizations to avoid development in “memory unsafe languages,” like C or C++, or user-provided input into SQL query or OS command strings. Default passwords are also identified as a bad security practice.

CISA warns organizations not to use open-source software components with known vulnerabilities, or to flout their responsibility to publish CVEs in a timely manner.

MFA should be enabled by default for administrator accounts by January 1, 2026, giving hackers a deadline to attack a relatively common bad practice.

The comment period ends on December 2, 2024.

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News

 

Ireland’s Online Safety Code has been published to establish age assurance rules and regulate content for online video-sharing platforms with…

 

Nearly three-quarters of Europeans support the use of artificial intelligence by police and military, including facial recognition and biometric data…

 

The Data (Use and Access) Bill (DAU) has been introduced in UK Parliament, and if passed it would establish conditions…

 

A new technology assessment report to US lawmakers on generative AI training, development, and deployment cautions that despite the efforts…

 

Across Europe, digital identity ecosystems are changing, as the European Digital Identity (EUDI) Wallet program rolls out in EU member…

 

The combination of biometrics with zero-knowledge proofs (ZKPs) is finding a niche in the decentralized identity management and fraud prevention…

Latest article