Google To Make 2FA Mandatory For All Accounts

Google has recently announced that it is planning on making its 2SV (two-step verification), also known as 2FA (two-factor authentication), mandatory for all account holders.

What Is 2FA/2SV

2FA, or 2SV as Google calls it, is used to make online accounts more secure by adding a second method (or step) of authentication– account password (first step), verification code (second step). 2FA is usually only triggered when the account holder signs in for the first time from a different browser and/or device. When 2FA is triggered, a unique verification code is sent to the account holder, either to their mobile phone via text message or to a secondary email address via email message. The account holder must then input that one-time verification code to complete the signing-in process.

However, if I am interpreting Google’s announcement correctly, it seems mobile phone users will be required to confirm their identity each time they sign in:

Today we ask people who have enrolled in two-step verification (2SV) to confirm it’s really them with a simple tap via a Google prompt on their phone whenever they sign in. Soon we’ll start automatically enrolling users in 2SV if their accounts are appropriately configured.

PC users are not mentioned, nor is there any mention of tablets, so I am uncertain of the scope of this new requirement. Maybe it’s for mobile phone users only. Certainly, based on the wording in Google’s announcement, that appears to be the case. We shall see.

A number of anti-Google skeptics have suggested that this is a plan by Google to ensure that all the data the company collects is attributed to the correct user. While I am by no means a fan of Google or its data collection practices I do not believe there is an ulterior motive involved, merely Google safeguarding its users’ accounts. 2FA is a terrific method to enhance account security and, in my opinion, should be mandatory for all online accounts. Not sure about the whenever they sign in bit though, especially from the same device and browser– maybe overkill?

How To Set Up 2SV

Setting up 2SV for your Google account is a simple matter of adding the required information into your account details. You can choose to add a mobile phone number, secondary email address, or both. I would definitely suggest opting for either the secondary email option or both as phone numbers can and do change whereas email addresses tend to be more permanent.

Please bear in mind that although 2FA/2SV strengthens account security it does not compensate for using weak passwords. The first and critical step in securing any online account is to use a very strong password.


How To Create Strong Yet Easy To Remember Passwords


BOTTOM LINE:

Google’s announcement is about as clear as mud. While it’s apparent that Google is intent on enforcing 2SV, there is no mention of exactly on what devices it will be made compulsory. What’s your take on it all?

6 thoughts on “Google To Make 2FA Mandatory For All Accounts”

  1. Hi Jim,
    Google essentially forces Google Prompts as the default factor, I’d like to use an authenticator app as the default with Google Prompts as a backup. A lot of complaints about this for years, but Google doesn’t make it easy. Hopefully, they will when they force this on everyone.
    JD

  2. Thanks for letting us know Google’s next step.

    However, I don’t think that passwords should be “remembered”. I prefer to use a Password Manager (I use LastPass enhanced with a Yubikey). I may well be wrong, but I think that passwords that can be remembered are passwords that can be more readily hacked than my randomly created 25 character (upper and lower case letters, numbers, and ASCII characters that appear on my keyboard) passwords. To each his own!

    1. I don’t think that passwords should be “remembered”

      I couldn’t agree more Gerry. The fact of the matter is, far too many people do not use a password manager and choose weak passwords. If they follow my guide at least they will end up with strong passwords which is probably a distinct improvement on what they have been doing.

      I wish everyone thought like you mate but, sadly, that is far from the case.

  3. Hi Jim,
    Not for me the 2FA, (reminded me of sweet FA in our Oz lingo)
    I suppose it is OK in a way to stop people using pathetically weak passwords, but
    sensible, security-conscious people using extra-strong passwords will not be pleased to have to get a code from a ‘phone, not everyone has or wants a ‘phone, as with many people. Seniors especially who use a public library computer, and I doubt that they would be interested in having to spend time to log in to their email to get a code.
    I think it would make more sense to request a minimum ten digit password consisting of the good system of upper & lower case letters, numbers and symbols, easiliy checked for being ‘strong’ with Steve Gibson’s Haystack Password Check or similar, plus a free password generator if required.
    Could be many people will be opting out of Google to use other browsers.

    Regards,
    Jonno

    1. I agree with you to a degree, but an article by Leo Nottenbaum pointed out that while 8 character passwords were sufficient a decade ago, the combination of SSDs, increasingly faster DDR4 RAM, and incredibly fast CPUs, make the new minimum 16 characters. I “compromise” with 25 characters. There was a password generator that no longer exists which would generate up to 100 passwords at a time and allow the user to select their length, 1-100 characters, and all reasonable types of characters – upper and lower case letters, numbers, and other visible ASCII characters. I took advantage of this to create a file on a password-protected flash drive which consisted of 2,000 passwords of 25-character length. I send subsets of this list to friends, deleting what I send because I copy what I send with Ctrl-X. Thus the passwords that I have sent protect all parties concerned from having passwords duplicated, even if they are some other friend’s passwords. I suppose somebody with a Cray supercomputer could beat these to death successfully, BUT I’m sure that intercepting Wi-Fi that is used for 2FA, is a much easier, not to mention less expensive, method of breaking into my system than purchasing a Cray! PHYSICAL 2FA IS FINE WITH ME – I use LastPass and yubikeys. For my iPhone and iPad, I use a very inexpensive provider and 2FA can’t be used in any practical manner, other than with yubikeys. (IMHO – perhaps not so H) Google is making a huge mistake.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top

WHY NOT SUBSCRIBE TO OUR NEWSLETTER?

Get great content like this delivered to your inbox!

It's free, convenient, and delivered right to your inbox! We do not spam and we will not share your address. Period!