Earlier in May, Google casually dropped in a password security blog that it planned on automatically enabling 2FA on Google Accounts. At the time, Google didn’t give any idea of what that timeline would look like other than “soon.” But in a Cybersecurity Awareness Month blog, Google now says that the process is already underway.
The blog itself is a broad overview of the various ways Google’s trying to make sign-ins safer. Google’s built-in Password Manager, the Google Smart Lock app, and its Google Identity Services are some of the highlighted methods—as is two-step verification (2SV). You may have noticed that since last summer, Google enabled Google Prompts as the primary 2SV method on all eligible phones. Google Prompt asks you to verify your identity by following a prompt on your smartphone when logging into your Google account.
“And because we know the best way to keep our users safe is to turn on our security protections by default, we have started to automatically configure our users’ accounts into a more secure state,” Google writes. “By the end of 2021, we plan to auto-enroll an additional 150 million Google users in 2SV and require 2 million YouTube creators to turn it on.” (The deadline for YouTube creators is Nov. 1.)
For now, Google is auto-enrolling accounts that already have proper backup in place. Basically, that means accounts that have supplied Google with recovery information, like a phone number, authenticator app, or secondary email. You can check whether you fall into that category by visiting Google’s Security Checkup page.
Generally speaking, you should already be using some kind of 2FA or 2SV on your accounts, especially ones that contain sensitive information. That’s because passwords are an inherently flawed security mechanism—the best ones are the ones you can’t possibly remember, which may lead people to re-use them. As a result, we’re starting to see tech companies move away from relying on them in favor of alternative methods and multi-factor authentication. Google has already stated it’s working toward a password-free future, and Microsoft announced last month that users no longer needed passwords to access their Microsoft account. At WWDC 2021, Apple also noted that it was working on a “Passkeys in iCloud Keychain” feature that would utilize TouchID or Face ID in lieu of passwords.