For a long time now, tech companies have withheld their services from Iranians, for fear of violating the vaguely-worded sanctions imposed by the US government and bringing down harsh punishment on themselves. Such over-compliance has had a direct impact on the online security of Iranians and, in the case of Google, has left them more exposed to hackers than their counterparts in other countries.
The reason for this is that, up until now, the California-based tech company has refused to make its two-factor authentication app, Google Authenticator, available there. As a fallback, Iranians have had to rely on SMS and call-based two-factor authentication - a method which is widely derided across the internet freedom and information security industries as being vulnerable to a range of attacks.
So-called “SIM swap” attacks focus on phishing in order to convince phone service providers to swap the phone number to another sim, thus allowing any two-factor authentication codes to be sent directly to the hacker. For Iranians though, the threat is not even so complicated as this. As the telecommunications companies are owned by the Islamic Revolutionary Guards Corps, the interception of a text message or a phone call in order for an official to gain access to an account is a very simple process indeed.
By using Google Authenticator to verify access to an account, Iranian users must have the actual phone with them in order to retrieve the code. Of course, no system is 100% secure, but interception is made a lot harder by using app-based two-factor authentication, thereby increasing the security of the users.
Whether Google have made this move out of social responsibility or for financial reasons - they do, after all, need to keep users’ trust in order to continue selling their data - given the harsh consequences of interception in Iran, any improvement in their online security can only be a good thing.
Instructions on how to set up Google Authenticator: