Most security experts agree that two-factor authentication (2FA) is a critical part of securing your online accounts. Google agrees, but it’s taking an extra step: It’s going to sign up Google account holders up for two-factor accounts automatically.
Google sees two-factor authentication as a replacement for passwords, which Mark Risher, Google’s director of product management for identity and user security, in a statement called “the single biggest threat to your online security.” Because they’re easy to steal and hard to remember, users will end up reusing passwords. If stolen, they can be used to unlock multiple user accounts, adding to the risk.
Google already uses 2FA to secure accounts, but it’s been optional until now. If you have 2FA enabled on your Google account, for example, you can view the passwords Google knows by entering your passwords, then confirming your login on a separate phone via Google’s Authenticator app. (It’s no coincidence that Google is announcing this on the so-called World Password Day.) This is two-factor authentication: compounding your security by taking something you know (a password) and combining it with something you have (an authorized phone).
According to Risher, Google will start “automatically enrolling users in 2SV [what Google calls 2FA] if their accounts are appropriately configured.” Google said that users would be given an opportunity to opt out, too.
How Google’s 2FA enrollment will work
What does “appropriately configured” mean? According to Jonathan Skelker, product manager for account security at Google, the term means “users that already have recovery information on their accounts, such as a phone number or [secondary] email.” Google’s Security Checkup page already communicates whether 2FA is set up on your account, and will presumably be the way by which you’ll know if you need to set up 2FA, and how you’ll do it.
Google already allows you to import your passwords stored in other browsers or password managers into Google’s own Password Manager. Google also can generate its own passwords, and use them when you sign up for a new service or site via Chrome. Google’s Password Checkup feature, for the web as well as for Android, also automatically checks your passwords against known password breaches. It’s not good enough to use our tips on how to create strong passwords; you have to know when your passwords have been stolen as part of a breach, and take quick action.
Late Wednesday night, Google issued a clarification saying that users would be given the ability to opt out, in the case where they needed to be able to access their accounts.
"More factors means stronger protection, but we need to ensure users don’t get accidentally locked out of their accounts," Google said in a statement attributed to Risher. "That’s why we’re starting with the users for whom it’ll be the least disruptive change and plan to expand from there based on results.
"The reality is passwords are no longer a sufficient form of authentication – they are painful for people and easy for hackers to access. It used to be that multifactor authentication was considered tedious and challenging to set up – that is no longer the case. Many users are already positioned to use a second step of verification across their accounts – this auto enrollment process is a way for us to help get them there. Users can opt out of this change and keep their account security settings the same."
If you hate passwords, though, take heart: Google’s working to eliminate them eventually. “One day, we hope stolen passwords will be a thing of the past, because passwords will be a thing of the past,” Risher said.
Correction: This story has been updated to note that Google's Risher clarified Google's position by noting that users would be given the option to opt out of the two-factor authentication.