By doing so, you ensure that your password isn’t your only line of defense against unauthorized account access. The only issue is that It was always your responsibility to figure out how to make it work.
In a blog post published this week, the company stated that users who have allowed two-step verification will be asked to authenticate by tapping a prompt on their smartphones whenever they sign into their Google or Gmail account. (Approximately 1.8 billion people use Gmail; users can also build Google accounts using email addresses from other services.)
Google will begin automatically opting users into two-step authentication after analyzing data on how simple it is for current two-factor users to communicate with these mobile prompts.
“We’re starting with the users for whom it’ll be the least disruptive change and plan to expand from there based on results,” Google’s director of product management for identity and user security, Mark Risher, said. “It’s true that multifactor authentication has historically been considered tedious and challenging to set up, but for many users that is no longer the case.”
Beyond a username and password, multifactor authentication applies one or more additional checks to the login method. An ephemeral, randomly created code from an authentication app, the existence of a physical authentication key like a Yubikey, or even a digital token built into your smartphone may all be used as a second factor.
Moreover, adding at least one of these additional layers makes it much more difficult for phishers, scammers, or other malicious hackers to gain access to your digital accounts.
Although multifactor authentication appears to be an obvious security function, businesses have been hesitant to make it mandatory for all. Requiring two-factor authentication could deter customers from trying out their services, resulting in a loss of revenue.
Users may also lack the necessary equipment or knowledge to handle multifactor authentication, preventing them from accessing services they would otherwise enjoy.
“Ultimately, we want all of our users to have the best security protections in place—by default—across their devices and accounts,” Risher says. “At the same time, we recognize that today’s two-step verification options aren’t suitable for every user, so we are actively working on technologies that provide a secure, equitable authentication experience and eliminate the reliance on passwords.”
If users change their minds, they will always be able to opt out of two-factor authentication. However, the aim is to force consumers and the tech industry as a whole to adopt two-factor authentication as a standard.
From supporting autoupdates and sandboxing with Chrome to pressing for ubiquitous HTTPS web traffic encryption, Google has been a pioneer in other big web security transformations.
That being said, it isn’t the only major corporation that has begun to train its customers to use multifactor authentication. Apple hasn’t completely required two-factor authentication for its Apple IDs, but the company has been actively promoting the feature in recent years and making it more difficult to opt out.
“It’s great to see Google advancing the industry by nudging users to enable multifactor authentication, in this case with our smartphones,” security engineer and founder of the Open Crypto Audit Project, Kenn White, says . “If we can make it easy to move beyond simple credentials that’s a win for account security and everyone. And we are gradually starting to see large organizations like banks and healthcare adopt urgently needed protections like mandatory two-factor.”
For the time being, Google says it will monitor early test groups for “sign-in success” and indications of what makes the process the most user-friendly. “We know that having a second form of authentication dramatically decreases an attacker’s chance of gaining access, but need to ensure it doesn’t lock users out of their accounts,” Risher adds. “Additionally, we are going to work with our users to understand how they feel about this change. Do they feel the enrollment experience was seamless? How can we improve it? Do they feel confident signing in this way? Do they understand how much safer their accounts are, and that relying on passwords alone is a vulnerability?”
Addressing these issues will take time, and the industry as a whole will take much longer. However, with the rise of digital fraud, the need for a significant change in web security is more important than ever.