Google has confirmed that it will be pushing forward, on an ‘automatic enrollment’ basis, with a bold security update for some 150 million users before the year-end. I am sure you are wondering if you will be among the chosen ones who get opted into using this powerful password shield and, if so, what exactly does this mean?
Google flips the password security switch for millions
The confirmation from Google came by way of an official safety and security blog posting this week. The announcement by Google’s Chrome group product manager, AbdelKarim Mardini and director of Google account security and safety, Guemmy Kim, reinforces the password security switch message I wrote about back in May.
Yes, we are talking about two-factor authentication (2FA) here, or two-step verification (2SV) in the case of Google. The differences are, for the average user, just a matter of semantics. While 2SV is technically likely to be the same authentication factor as your password, namely something you know, practically, it can also be a second factor.
The quick and dirty explanation is that the ‘knowledge’ factor here, let’s say your password and a code that you are asked to input, spills over to add possession if it comes by way of your smartphone and inherence, or something you are, if you access that device or an authentication app using face or fingerprint recognition.
What matters most here is that Google is bringing additional protection to your login credentials. Important because, as recent research into credential stuffing showed, the use of compromised login details is on the up. One significant report even pegs 61% of data breaches as involving credential misuse.
Will you be among the 150 million Google users automatically opted-in?
This automatic enrollment of 150 million Google accounts is good news. Still, some people have emailed me with concerns that it could lead to them being effectively locked out of their accounts if they don’t have the right authenticator app or hardware key, for example. I took these concerns to the director of account security and safety at Google, Guemmy Kim, to discover how the 150 million accounts will be chosen and what the enrollment process will look like.
Starting with the selection process, Kim told me that the criteria for picking accounts to enroll into 2FA protection include “those who regularly sign into their account and engage with Google products on their mobile devices, and who have recovery information on their accounts, such as a recovery phone number and recovery email.” These users are, according to Kim, going to be in a position where automatically switching on that 2FA “won’t be disruptive and won’t get them locked out of their accounts.” You can pre-emptively verify if your account is ready for this move towards password protection by taking the Google security checkup.
What if you don’t want to use 2FA?
Which still leaves the small matter of process nitty-gritty. I also asked Kim if she could explain the enrollment process. This seems to be missing from pretty much all the reports I have seen, including that Google safety and security blog announcement I already mentioned.
“Users will be notified seven days before their sign-in method changes from password-only to 2-Step Verification,” Kim assures me, adding, “they’ll be notified again when the change is made seven days later.” These notifications, I am told, will be delivered by way of both email and mobile.
That first seven-day notice of intent will also contain an option to allow the user to turn 2FA on immediately rather than wait another week for the enhanced security protection it provides. “Users who choose to turn it on early,” Kim says, “will enter the 2-Step Verification set up flow and be asked to enter any additional backup information.”
And talking of options, I had to ask whether this was all mandatory as is the case for around 2 million YouTube creators who will be required to activate 2FA account protection if they want to continue earning money beyond the end of the year?
“At this stage,” Kim says, referring to the seven-day notification, “users can opt-out if they want to.”
A password security move in the right direction from Google
Google hopes that users start to understand that the security and convenience benefits of new advanced forms of 2FA outweigh any past negative perceptions. Such authentication “is no longer just limited to codes, and Google has been a leader in the development of advanced forms of authentication, like security keys built right into your phone, that ensure a seamless experience,” Kim says.
These keys are built right into Android smartphones, while iPhone and iPad users can install the Google Smart Lock app instead.
Although I’m generally not a fan of being opted-in to anything, I’ll make an exception when it comes to improved account security such as this.
Not least as Kim would appear to have answered the concerns that Sean Wright, application security lead at Immersive Labs, had back in May when we spoke. While agreeing that it was a good move by Google, Wright said that individuals should be able to “decide whether they want to accept the risk and disable it.” One box ticked.
Another also gets a checkmark as Wright warned that Google must “clearly communicate this change” rather than go ahead without adequately informing users.
Thankfully, the seamless user experience is at the forefront of Google’s thinking here, it would seem. While not going down the entirely passwordless route that Microsoft has now implemented for Windows 10 and 11 users, Google is moving in the right direction, nonetheless. “As passwords become a thing of the past,” Kim concludes, “sign-in will become safer and more convenient.”
Therefore, the question becomes not one of whether you’ll be chosen to get this auto-enrollment into Google’s 2FA system but rather why you haven’t already opted in yourself?