Security experts have been banging the drum about password managers and enabling two-factor authentication for what seems like an eternity. Probably because year after year, hordes of you keep using “123456" and “password” to secure your shit online. Well, Google’s not having it anymore. So long as you provide a secondary email or phone number, the company will soon start automatically enabling 2FA on your Google Accounts.
The change isn’t so much an announcement, as it is a little tidbit included in an official Google blog on password security published today for World Password Day. According to Google, searches for “how strong is my password” shot up by 300% in 2020. But even if everyone used long, complicated passwords, Google says that’s not good enough, as it can encourage people to use that same, complicated-but-secure password across multiple accounts. The goal is to do away with passwords altogether.
“Soon we’ll start automatically enrolling users in 2SV [two-step verification] if their accounts are appropriately configured,” writes Mark Risher, Google’s director of product management, identity, and user security. “Using their mobile device to sign in gives people a safer and more secure authentication experience than passwords alone.” Risher then pointed to Android’s built-in security keys and the Google Smart Lock app for iOS password managers as other examples of efforts to make 2FA less cumbersome. He also highlighted Chrome’s built-in password manager, as well as the recently launched Password Import feature, which lets you upload 1,000 passwords from third-party sites into Google’s password manager for free.
Google already has 2FA as an option, but it’s not mandatory. You may have also noticed recently that starting last summer, logging into your Gmail might require you to tap a Google prompt from your phone. As to what Risher means by “appropriately configured” accounts, it basically refers to whether you’ve supplied Google with recovery information—a secondary email, phone number, an authenticator app, etc. You can check by heading to Google’s Security Checkup page.
Other than saying this would happen “soon”, Google hasn’t given a timeline for when automatic enrollment will begin or if there’ll be an official announcement when rollout starts. But you really don’t have to wait for Google to do it for you. Please, for the love of tech bloggers everywhere, enable 2FA so we don’t have to keep writing blogs reminding you why it’s a good idea to enable 2FA.