New Apps security feature causes Google user confusion
Google confused end users and triggered a spike in support calls to Apps admins with the initial rollout of a security feature for the cloud suite.
In recent weeks, the company started prompting Apps users to enter a mobile phone number so that they could be contacted via text message in case Google detected suspicious log-in attempts to their accounts—in essence, put users through a two-step authentication process in those cases.
The requests in particular vexed users whose Apps accounts are accessed via single sign-on (SSO), and many of them contacted their IT departments seeking clarification on how to proceed.
This new identity verification feature, announced in May, is intended to prevent the hijacking of Apps accounts via stolen user names and passwords.
Login challenge to improve security
It’s designed to generate a “login challenge”—entering a code sent to the account holder’s mobile phone—if the Google system deems that the access attempt was “suspicious,” using criteria like user location and behavior. Users who have enabled two-step authentication go through that process each time they sign on.
But due to the confusion caused by the mobile phone number prompt among SSO domains, Google has suspended the rollout for all Apps customers until further notice, the company said on Thursday in a blog post.
“While the challenge feature is not enabled for domains using SSO, many users in these domains did see a prompt to enter their phone number as a means of verifying their identity in the future. This understandably caused confusion and led to escalations to admins. Upon hearing of this confusion, the launch of the interstitial prompt was temporarily rolled back for all domains until SSO domains can be fully excluded, at which point it will be relaunched,” the post reads.
Google plans to turn on the login challenge feature for SSO domains eventually, saying in the post that “we are passionate about keeping our users’ information safe and secure, so we do plan to enable login challenges for domains using SSO later this year.”
Pushback from IT
Under heavy competitive fire from Microsoft and its Office 365 suite, Google can ill afford disruptive or confusing feature rollouts among its Apps customers, who rely on the suite for critical email, calendaring and other communications and collaboration tasks.
Judging from several complaints posted by Apps admins on the product’s official support forum, Google may need to clarify the rollout plans for this new feature now that it’s back on the drawing board. It seems some admins would like Google to give them an opt-out alternative from this feature altogether.
“We do not want our users to see that page. Can it be disabled somehow?,” an Apps admin wrote on Wednesday, and was told by a forum monitor that it’s not possible.
Another Apps admin received the same response after posting a similar question on the same day. “Is there a way to prevent this message from appearing to our users as we manage their access and passwords?”
Google Apps customers who are using the suite’s two-step log-in verification feature will not be included in the rollout of this feature, which provides the same type of protection.