“Activate two factors authentication ”is solid advice, and WIRED has been saying it for years. This ensures that your password is not the only line of defense against unauthorized access to your accounts. The only problem? It was still incumbent you to find out how to get there. Now Google is taking its first steps towards enabling two default factors for all of its users – and where Google goes in web security, the rest of the industry often follows.
The company said in a blog post this week that it will start asking users who have already enabled two-step verification to authenticate by tapping a prompt on their smartphone each time they sign in to their account. Google or Gmail. (Gmail has about 1.8 billion users; users can also create Google Accounts using email addresses from other services.) Once Google assesses the data on how easily existing two-way users factors interact with these mobile prompts, the company will automatically begin to choose users in the two-step verification.
“We’re starting with the users for whom this will be the least disruptive change and plan to grow from there based on the results,” said Mark Risher, Google’s director of product management for Identity and Personal Security. users, to WIRED. “It’s true that multi-factor authentication has always been considered cumbersome and difficult to set up, but for many users it is no longer the case.”
Multi-factor authentication adds one or more additional checks to a login process beyond a simple username and password. Your second factor could be an ephemeral code, randomly generated from an authenticator app, the presence of a physical authentication key like a Yubikey, or even a digital token built into your smartphone. And by adding at least one of those extra layers, it’s much more difficult for phishers, crooks, or other malicious hackers to break into your digital accounts.
While multi-factor authentication appears to be a clearly beneficial security feature, companies have been reluctant to force its use on everyone. Requiring two factors could deter consumers from trying their services, ultimately hurting their business. Users may also not have the equipment or know-how to navigate MFA, thus excluding them from services they might otherwise want to use.
“Ultimately, we want all of our users to have the best security protections, by default, on their devices and accounts,” says Risher. “At the same time, we recognize that the current two-step verification options are not suitable for all users, which is why we are actively working on technologies that provide a secure and fair authentication experience and eliminate reliance on Passwords.”
Google users will still be able to turn off two-factor authentication if they change their mind. The goal, however, is to push both users and the tech industry at large towards a basic two-factor standard.
Google has been a leader on other major web security transitions, from promoting automatic updates and sandboxing with Chrome to promoting encryption of ubiquitous HTTPS web traffic. He’s not the only big hitter starting to get his users used to multi-factor authentication. Apple hasn’t fully mandated two factors for its Apple IDs, but in recent years the company has been aggressively promoting this feature and making it harder and harder to opt out.
“It’s great to see Google moving the industry forward by getting people to turn on multi-factor authentication, in this case with our smartphones,” said Kenn White, security engineer and founder of the Open Crypto Audit project. “If we can make it easy to go beyond just credentials, that’s a victory for account security and for everyone. And we’re gradually starting to see large organizations like banks and healthcare adopt urgent protections like two-factor bond. “