Google is going to automatically enroll 150 million users and two million YouTube creators into using two-factor authentication for their accounts by the end of the year, it announced on Tuesday.
Passwords aren’t good enough on their own, Google’s AbdelKarim Mardini, group product manager working on Chrome, and Guemmy Kim, director at the Account Security and Safety team, explained on Tuesday. These passphrases are often simple and can be easily guessed, or stolen and shared.
Two-factor authentication provides an extra layer of security by, say, requiring a one-time code to complete your login – this code could be generated by an app on your phone or emailed to you – or a hardware key you insert into your computer. The idea being that if someone learns of or guesses your password, they also need to get something else off you, like your unlocked phone or hardware key.
Google calls this two-step verification (2SV) and it involves being sent a code to type in, using a hardware key, or an app on your phone.
“2SV is strongest when it combines both “something you know” (like a password) and ‘something you have’ (like your phone or a security key),” Mardini and Kim said.
“And because we know the best way to keep our users safe is to turn on our security protections by default, we have started to automatically configure our users’ accounts into a more secure state. By the end of 2021, we plan to auto-enroll an additional 150 million Google users in 2SV and require two million YouTube creators to turn it on.”
Although Google introduced such authentication about a decade ago, people haven’t really been using it. Google software engineer Grzegorz Milka revealed at Usenix’s Enigma security conference in 2018 that less than 10 per cent of the web giant’s active user accounts were protected by two-factor authentication.
At the time, Milka told The Register the search giant didn’t want to force it upon its users. “The answer is usability,” he said. “It’s about how many people would we drive out if we force them to use additional security.”
Now Google’s being a little more proactive, though it noted not everyone is tech savvy enough to get their heads around 2SV. As such, it is being selective with the accounts it auto-enrolls.
“We also recognize that today’s 2SV options aren’t suitable for everyone,” Mardini and Kim said, “so we are working on technologies that provide a convenient, secure authentication experience and reduce the reliance on passwords in the long-term. Right now we are auto-enrolling Google accounts that have the proper backup mechanisms in place to make a seamless transition to 2SV.” ®