G Suite admins can now disable SMS and voice 2FA

G Suite administrators can now prevent enterprise users from using SMS and voice codes as their second authentication/verification factor for accessing their accounts.

The ability to disable those two options will be made available in the next two weeks to admins using any of the G Suite editions.

Why and how?

It has been known for quite a while that additional authentication via SMS and voice codes is the least secure option for 2-factor authentication, as the method is vulnerable to malware attacks (e.g., malicious apps), social engineering (e.g., an attacker convinces the mobile operator to redirect the traffic meant for the victim’s mobile phone to the attacker’s device), and attacks exploiting flaws in telephony signaling protocols.

The National Institute for Standards and Technology (NIST) has been calling for the deprecation of SMS-based out-of-band authentication for years now.

“As awareness of the potential vulnerabilities associated with SMS and voice codes has increased, some admins asked us for more control over the ability to use phone-based 2-Step Verification methods within organizations,” Google noted.

“The present release does just that – admins get a policy that can enforce the use of multi-factor authentication without permitting SMS and voice verification codes.”

Users should be steered towards more secure options: authenticators apps, hardware tokens and security keys.

To prevent problems that might arise from this latest option, Google has not enabled it by default and is urging admins to perform a gradual transition if until now they only offered the SMS/voice 2FA option.