Google will make two-factor authentication mandatory soon

Google hates passwords, so it's trying to replace them with two-factor authentication.

Most security experts agree that two-factor authentication (2FA) is a critical part of securing your online accounts. Google agrees, but it’s taking an extra step: It’s making two-factor authentication mandatory, and will start requiring it on Google accounts.

In a way, Google sees two-factor authentication as a replacement for passwords, which Mark Risher, Google’s director of product management for identity and user security, in a statement called “the single biggest threat to your online security.” Because they’re easy to steal and hard to remember, users will end up reusing passwords. If stolen, they can be used to unlock multiple user accounts, adding to the risk.

Google already uses 2FA to secure accounts, but it’s been optional until now. If you have 2FA enabled on your Google account, for example, you can view the passwords Google knows by entering your passwords, then confirming your login on a separate phone via Google’s Authenticator app. It’s no coincidence that Google is announcing this on the so-called World Password Day.

This is two-factor authentication: compounding your security by taking something you know (a password) and combining it with something you have (an authorised phone).

Soon, however, Google will make 2FA mandatory. According to Risher, Google will start “automatically enrolling users in 2SV [what Google calls 2FA]  if their accounts are appropriately configured.”

How Google’s 2FA enrolment will work

What does “appropriately configured” mean? According to Jonathan Skelker, product manager for account security at Google, the term means “users that already have recovery information on their accounts, such as a phone number or [secondary] email.” Google’s Security Checkup page already communicates whether 2FA is set up on your account, and will presumably be the way by which you’ll know if you need to set up 2FA, and how you’ll do it.

Google already allows you to import your passwords stored in other browsers or password managers into Google’s own Password Manager. Google also can generate its own passwords, and use them when you sign up for a new service or site via Chrome.

Google’s Password Checkup feature, for the web as well as for Android, also automatically checks your passwords against known password breaches. It’s not good enough to use our tips on how to create strong passwords; you have to know when your passwords have been stolen as part of a breach, and take quick action. 

Unfortunately, Google didn’t say if there was any way to opt out of 2FA—say, for a throwaway account that you only use as protection against spam, for example, or as an alternate email for some other purpose. 

If you hate passwords, though, take heart: Google’s working to eliminate them eventually. “One day, we hope stolen passwords will be a thing of the past, because passwords will be a thing of the past,” Risher said.