Google Wants To Enable Multi-factor Authentication By Default

Google strives to push all its users to start using two-factor authentication (2FA), which can block attackers from taking control of their accounts using compromised credentials or guessing their passwords.

“Soon we’ll start automatically enrolling users in 2SV if their accounts are appropriately configured,” as Mark Risher, Google’s Director of Product Management, Identity and User Security, revealed today.

This move is meant to increase Google user accounts’ security by removing the “single biggest threat” making easy to hack: passwords that are hard to remember and, even worse, easy to steal via data breaches and phishing.

In the first of this process, the company will ask users already enrolled in 2FA (aka 2-Step Verification or 2SV) to confirm their identity by tapping on a Google prompt on their smartphones whenever they sign in.

To enroll in two-factor authentication for your Google Account right now, go here and click the “Get Started” button to add an extra layer of security and block attackers from gaining access to your data.

“Using their mobile device to sign in gives people a safer and more secure authentication experience than passwords alone,” Risher added.

Also Read: How To Comply With PDPA: A Checklist For Businesses

In January 2020, Google announced that iPhones running iOS 10 or later could be used as security keys to verify sign-ins on Chrome OS, iOS, macOS, and Windows 10 devices without pairing.

Previously, the company also made using the security key built-in Android phones running Android 7.0+ (Nougat) generally available, and allowed iOS users to verify sign-ins into Google and Google Cloud services using Android phones set up as security keys.

More information on how to set up your phone as a Google account security key can be found here.

How two-factor authentication protects your account

Once 2FA will be enabled on your account (configured to work via text/voice message codes, the Google Authenticator app, or with security keys), it will block unauthorized access by creating an extra defense layer designed to prevent malicious actors’ attempts to log in.

This means that attackers will not be able to take it over even if they manage to steal your credentials unless they also have access to your device to confirm their malicious login attempts.

With 2FA toggled on, you’ll be asked to enter your password, as usual, whenever signing into your Google account. 

However, you’ll be required to confirm your identity using a code sent via text message, voice call, or mobile app. If you have a Security Key, you can also insert it into your computer’s USB port to confirm that you are the one trying to log in.

To put things into perspective, Director of Identity Security at Microsoft Alex Weinert said two years ago that “your password doesn’t matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

Weinert also added that “use of anything beyond the password significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.”

Also Read: In Case You Didn’t Know, ISO 27001 Requires Penetration Testing

“One day, we hope stolen passwords will be a thing of the past, because passwords will be a thing of the past, but until then Google will continue to keep you and your passwords safe,” Risher concluded.