To stop hackers, Google is preparing to automatically turn on two-factor authentication for user accounts rather than make it opt-in.
“Soon we’ll start automatically enrolling users in 2SV [two-step verification] if their accounts are appropriately configured,” Mark Risher, a Google director of user security, wrote in a blog post.
The announcement comes on World Password Day. Using a strong password is a crucial way to prevent hijackers from breaking into your account. But for even more protection, many services also offer two-factor authentication (2FA), which adds an extra step to the log-in process.
The security safeguard works by tapping into your smartphone to generate a one-time passcode—either via text or an authenticator app—which can then be typed into a login form. Google also allows people to approve 2FA logins by tapping a prompt inside its own apps.
However, two-factor authentication (2FA) is usually optional and involves you going into your account settings and turning it on. 2FA can also become a time suck, requiring you to pull out your phone, wait for or hunt down the code, and then type it in. However, Risher is confident Google has addressed this core complaint.
“It used to be that multi-factor authentication was considered tedious and challenging to set up—that is no longer the case,” he told us in an email. “Many users are already positioned to use a second step of verification across their accounts—this auto enrollment process is a way for us to help get them there.”
According to Risher, Google plans to expand mandatory 2FA to users who regularly sign in to their account and engage with Google products on their mobile devices, and have recovery information saved to their accounts, such as a secondary phone number or email.
“More factors means stronger protection, but we need to ensure users don’t get accidentally locked out of their accounts,” he added. “That’s why we’re starting with the users for whom it’ll be the least disruptive change and plan to expand from there based on results.”
The Google prompt option also simplifies sign-ins. “Today we ask people who have enrolled in two-step verification (2SV) to confirm it’s really them with a simple tap via a Google prompt on their phone whenever they sign in,” Risher wrote.
That second step should also only appear if you’re signing into a new device. For devices you regularly use and trust, it should rarely appear. "Our ultimate goal is to get everyone into a more protected and secure state by default," Risher added. But if you’re not a fan of the two-factor authentication, Risher says you can opt out.
That's not the case with Apple. Though 2FA is still optional on Apple devices, you only have two weeks to turn it off once you opt in. After that, there's no way to go back. "Certain features in the latest versions of iOS and macOS require this extra level of security, which is designed to protect your information," Apple says.
Google has long required 2FA for its employees. In 2017, it started giving out physical security keys to its then-85,000 employees. A year later, it said that no employees had reported any confirmed takeovers of work-related accounts.