“TURN ON TWO-FACTOR authentication” is solid advice, and WIRED has repeated it for years. Doing so ensures that your password isn’t the only line of defense against unauthorized access to your accounts. The only problem? The onus was always on you to figure out how to make it happen. Now, Google is taking its first steps toward enabling two-factor by default for all its users—and where Google goes in web security, the rest of the industry often follows.
The company said in a blog post this week that it will begin asking users who already have enabled two-step verification to authenticate by tapping a prompt on their smartphones whenever they sign into their Google or Gmail account. (Gmail has about 1.8 billion users; people can also create Google accounts using email addresses from other services.) Once Google assesses data on how easy it is for existing two-factor users to interact with these mobile prompts, the company will start automatically opting users into two-step verification.
“We’re starting with the users for whom it’ll be the least disruptive change and plan to expand from there based on results,” Mark Risher, Google’s director of product management for identity and user security, told WIRED. “It’s true that multifactor authentication has historically been considered tedious and challenging to set up, but for many users that is no longer the case.”
Multifactor authentication adds one or more additional checks to a login process beyond just a username and password. Your second factor could be an ephemeral, randomly generated code from an authentication app, the presence of a physical authentication key like a Yubikey, or even a digital token built into your smartphone. And adding at least one of these extra layers makes it much harder for phishers, scammers, or other malicious hackers to penetrate your digital accounts.
While multifactor authentication seems like an obviously beneficial security feature, companies have been reluctant to mandate its use for everyone. Requiring two-factor might dissuade consumers from trying their services, ultimately hurting their business. Users also might not have the equipment or know-how to navigate multifactor authentication, thus excluding them from services they might otherwise want to use.
“Ultimately, we want all of our users to have the best security protections in place—by default—across their devices and accounts,” Risher says. “At the same time, we recognize that today’s two-step verification options aren’t suitable for every user, so we are actively working on technologies that provide a secure, equitable authentication experience and eliminate the reliance on passwords.”
Google users will still be able to opt out of two-factor authentication if they change their mind. The goal, though, is to push both users and the wider tech industry toward two-factor as a baseline standard.
Google has been a leader on other major web security transitions, from promoting autoupdates and sandboxing with Chrome to pushing for ubiquitous HTTPS web traffic encryption. It’s not the only heavy hitter to start habituating its users to multifactor authentication, though. Apple hasn’t fully mandated two-factor for its Apple IDs, but in recent years the company has aggressively promoted the feature and made it more and more difficult to opt out.
“It’s great to see Google advancing the industry by nudging users to enable multifactor authentication, in this case with our smartphones,” says Kenn White, a security engineer and founder of the Open Crypto Audit Project. “If we can make it easy to move beyond simple credentials that’s a win for account security and everyone. And we are gradually starting to see large organizations like banks and healthcare adopt urgently needed protections like mandatory two-factor.”
For now, Google says it will monitor early tests groups for “sign-in success” and indications of what makes the process easiest for users. “We know that having a second form of authentication dramatically decreases an attacker’s chance of gaining access, but need to ensure it doesn’t lock users out of their accounts,” Risher says. “Additionally, we are going to work with our users to understand how they feel about this change. Do they feel the enrollment experience was seamless? How can we improve it? Do they feel confident signing in this way? Do they understand how much safer their accounts are, and that relying on passwords alone is a vulnerability?”
It’ll take time to answer these questions and even longer for the entire industry to make the adjustment. But with digital fraud booming, the need for a radical shift in web security is more urgent than ever.