Google’s Multi-Party Approval Process Is Great, but Not Unphishable

Evangelists-Roger GrimesGoogle's Multi-Party Approval ProcessLike most observers, I celebrated Google’s recent announcement on April 9th about new multi-party approvals for a handful or so of common actions accomplished by super admins in Google Workspace.

In short, when particular high-risk actions are being performed (such as account recovery), admins can require another super admin to approve the action before it is performed.

Multi-party approval is turned on by default for domains with two or more super admins. Currently, covered high-risk actions defined by Google are [with my additional explanations]:

  • Two-Step Verification [i.e., enabling or disabling two-step verification for a user]
  • Account recovery [i.e., allowing users to self-recover or not]
  • Advanced Protection [i.e., enabling or disabling Advanced Protection for a user]
  • Google session control [i.e., limiting a user session before they have to re-authenticate]
  • Login challenges [i.e., enable or disable user login challenges]
  • Passwordless [i.e., enabling or disabling FIDO passkeys]

Many of the covered actions have been increasingly abused by attackers, including ransomware gangs, which I am sure is why this feature was implemented and rolled out. 

I think this is a GREAT idea! I have no criticism of it or the way Google implemented it. It is well done, fairly automatic with a great admin user interface experience and solid defaults. I hope Google does it more, in more places, with more potential actions included. I am sure this will motivate other vendors and competitors to do the same. Multi-party approvals will for sure make some malicious actions harder on hackers.

Two points, one small, one more important.

First, multi-party approvals are really just an implementation of something known as automated workflows. Many products, commercial and custom, have included automated workflows for decades. For example, many help desk products have included workflow automation to approve particular requests, including high risk admin actions.

The best help desk software often allows any action to have automated workflows requiring multiple approvers. Hundreds of thousands of companies have long had internal, customized automated workflows.

When I worked at Microsoft (over 6 years ago), we had many internal automated workflows. For example, employee password resets required not only Help Desk approval and identity verification, but also the employee’s boss's approval.

The employee’s boss would receive an email from the help desk stating that the employee was requesting a password reset, ask the boss to verify that it was the employee actually needing the password reset, and all the boss had to do was click “Yes” on the email for the password reset request to go through. It was all automated. 

Leaders would also be sent semi-annual email notices about what folders and files their employees had access to and would have to confirm that the access should still be granted going forward (or at least until the next access control verification email). If the leader did not respond to the request, the employee’s access to the protected resource was cut off.

Some types of sensitive digital certificates (such as code signing certificates) had a multi-party approval process. It has been built into Microsoft’s Active Directory Certificate Services product for over two decades. 

What is different here is Google is putting it into their cloud platform, including a number of common high-risk scenarios, and enabling it by default (for many customers). I do not know if one of Google’s competitors also does something like multi-party approvals, but AFAIK it is the first within a customer’s admin console for a major cloud vendor. So, kudos to Google for doing it. I hope success breeds more of it.

But one big reminder, although multi-party approvals make it harder for hackers to be successful, hackers will still be successful. It is not like multi-party approvals get implemented and all the social engineering hackers close up shop and go home… any more than they did when multi-factor authentication (MFA) started being pushed in a big way by the major vendors.

If a good social engineering scam can convince one admin to do something, it can just as nearly easily convince two admins to do the same thing. If your CEO is blowing you up on the phone that their MFA is not working while they are in a big business deal and they need their account recovered, that stress will work equally well on two admins. This is to say, like MFA, multi-party approvals are great, but not perfect defenses. Hackers will get around it. Social engineers will update their scams to get around it.

We know this because hackers always adapt and overcome (at least so far). In the recent past, MFA is/was touted as the way to stop hackers! Remember all utter nonsense from the “experts” claiming MFA stopped 99% of attacks ? Then it turns out that 90% of MFA is easily susceptible to adversary-in-the-middle attacks and now we have millions of MFA users who have been hacked. 

At first, attackers had to manually bypass MFA. But now almost all password-stealing malware and automated adversary-in-the-middle attacks have been updated to bypass the most popular forms of MFA used by most people.

It does not take an uber hacker to bypass MFA any longer, just someone willing to spend $50 to buy a phishing kit. Once a weakness in a defense is spotted, hackers will figure out a way to abuse it, and eventually the attack gets automated. The same thing will likely happen with multi-party approvals. They are great. Use them where you can. But multi-party approvals are not impenetrable. 

Anything that makes a hacker’s life harder is a good thing and is welcomed. Just do not implement it and think you can sit back and forget the security basics. You will still have to be on the lookout for hackers and social engineers. You will still have to hover over links to review them before clicking on them. You will still have to confirm it is your CEO asking for the account recovery and not just some AI-generated deepfake. 

Verify, then trust. 

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews