Your Google accounts will soon default to 'two-step verification'

Cal Jeffrey

Posts: 4,140   +1,406
Staff member
In a nutshell: World Password Day was last Thursday. In honor of the day, Google announced that it would soon make two-factor authentication default for all Google services users. Additionally, it will automatically enroll "appropriately configured" accounts. Appropriately configured means people who already have a recovery method in place, like a secondary email or phone number.

Keeping your online accounts is of utmost importance. Yet year after year, we see the most common passwords continue to be easy to guess strings like 123456, 123456789, password, or 111111. What makes matters worse is users tend to use them on multiple accounts. Having one's email compromised is one thing, but if the same credentials are used for other sites like a bank, the consequences could be devastating. Google announced it would mitigate this risk for its users by making two-factor authentication (2FA) a default security setting.

What two-factor authorization does is add an extra step to the sign-in process. After entering their password, users will get a notification (usually via text message to their phone) that someone is trying to access their account. They can verify that it is them usually by either entering a random six-digit code in the message or by tapping an "accept," "allow," or "okay" button. Google calls it 2SV (two-step verification), and has had it optionally available for quite some time.

There is no arguing that 2FA is more secure than a password alone, but many users may not want to use it for various reasons. Arguably the most significant reluctance factor is that it requires them to trust their phone number to a company known for selling personal information to advertisers. Spam and robocalling are already real problems that have caused many consumers to guard their numbers closely.

Another possible problem would be rare instances where the user does not have a phone number or shares it with another person. It was unclear how Google would handle situations like this. However, Director of Product Management for Identity and User Security Mark Risher clarified that users would be given the opportunity to opt-out of 2FA.

"More factors means stronger protection, but we need to ensure users don't get accidentally locked out of their accounts," Risher told PCWorld. "That's why we're starting with the users for whom it'll be the least disruptive change and plan to expand from there based on results."

Two-factor authentication by default is just the first step Google is taking to eliminate passwords completely.

"One day, we hope stolen passwords will be a thing of the past, because passwords will be a thing of the past," said Google without expounding on what replacements it has in mind. The search giant also did not mentioned when it will implement the change, but users can expect it soon.

Permalink to story.

 
Google announced that it would soon make two-factor authentication default for all Google services users. Additionally, it will automatically enroll "appropriately configured" accounts.Appropriately configured means people who already have a recovery method in place, like a secondary email or phone number.
Before automatically enabling, they need to check validation of the email and phone number.
However, Director of Product Management for Identity and User Security Mark Risher that users would be given the opportunity to opt-out of 2FA.
Yeah, how often will that be a problem? With MS it is twice a year.
 
Another possible problem would be rare instances where the user does not have a phone number or shares it with another person. It was unclear how Google would handle situations like this.

>rare
It's at times like this that it annoys me TS being so US-centric. That's a very common issue in developing and third world countries.

I also find 2FA a major nuisance and never faced a situation where I regretted not using it. If something bad ever happens, I'd say taking the risk was still worth all the hassle and time saved from all the years I have never used it. Rather the opposite, in fact - using 2FA has only caused me headaches. Quite a few times I've been locked out of accounts because of malfunctioning 2FA.

Nowadays I only use 2FA for logins related to banking, finances and investments.

If Google ever makes 2FA mandatory, it will be a great excuse for me to finally stop using all their services for good and switch to alternatives.
 
>rare
It's at times like this that it annoys me TS being so US-centric. That's a very common issue in developing and third world countries.

I also find 2FA a major nuisance and never faced a situation where I regretted not using it. If something bad ever happens, I'd say taking the risk was still worth all the hassle and time saved from all the years I have never used it. Rather the opposite, in fact - using 2FA has only caused me headaches. Quite a few times I've been locked out of accounts because of malfunctioning 2FA.

Nowadays I only use 2FA for logins related to banking, finances and investments.

If Google ever makes 2FA mandatory, it will be a great excuse for me to finally stop using all their services for good and switch to alternatives.
Have you heard of app-based 2FA? You don’t need any data connection for it as it’s completely offline. Google supports it, as does TechSpot and tons of websites. I personally have over 50 accounts set up for app-based two factor authentication. Also known as TOTP, it’s standardized technology and there are tons of apps that support it.
 
Yeah, no Thank You Google. What would work MUCH better is to enforce secure password structure, IE, requiring a password to be of sufficient length and complexity. Minimum of 12 characters, with at least one each of the following: Capitalized letter, Number and special character. Example: @Techspot714

While that may look easily guessed, it isn't. This is greatly better than 2FA all day, everyday.
 
Last edited:
Have you heard of app-based 2FA? You don’t need any data connection for it as it’s completely offline. Google supports it, as does TechSpot and tons of websites. I personally have over 50 accounts set up for app-based two factor authentication. Also known as TOTP, it’s standardized technology and there are tons of apps that support it.

All app-based 2FA I've used required a phone number at least for the initial setup and creation of an account. And they might ask again for phone confirmation whenever they think there was any unusual activity from the account - which can mean anything, even just normally logging in, on the same device you've always used, but from a different browser than what you normally use.

If none of that is required, then I haven't heard of it. Anyways, for the kind of 2FA you describe, the service must support it. Personally I still wouldn't use it because like I have said, for me the inconvenience of 2FA far outweighs the risks of not using it except for the most critical services. So I hope it remains an optional thing.

Yeah, no Thank You Google. What would work MUCH better is to enforce secure password structure, IE, requiring a password to be of sufficient length and complexity. Minimum of 12 characters, with at least one each of the following: Capitalized letter, Number and special character. Example: @Techspot714

While that may look easily guessed, it isn't. This is greatly better the 2FA all day, everyday.

Strong passwords really are everything you need. Fact is, people who have bad opsec will always find a way to screw things up and end up having their accounts hacked or invaded, no matter how many hurdles services put in the process. There comes a point where anything they add to "enhance security" only ends up inconveniencing users. Ideas like phasing out passwords are just so they can have more control over their users and better spy on them, adding security is just an excuse.
 
Wasn't there something about password phrases being a high quality option?
stuff such as 'committedheavenlybirthdays' type passwords

sucks that I didn't learn this in my early years. I can still see my account details in breach files just by type the 6 digits I used + hotmail in google. and there's 2K hits off "password" across all types of isp/major email providers emails to realty companies. that's sad
 
Last edited:
All app-based 2FA I've used required a phone number at least for the initial setup and creation of an account. And they might ask again for phone confirmation whenever they think there was any unusual activity from the account - which can mean anything, even just normally logging in, on the same device you've always used, but from a different browser than what you normally use.

If none of that is required, then I haven't heard of it. Anyways, for the kind of 2FA you describe, the service must support it. Personally I still wouldn't use it because like I have said, for me the inconvenience of 2FA far outweighs the risks of not using it except for the most critical services. So I hope it remains an optional thing.
You just need a backup email for security notifications. For a 2FA failsafe, backup codes are provided, by TechSpot, Google, and most others. I find about half of sites support app-based authentication without any phone number whatsoever.

Anyways, I just confirmed I have a Google account that doesn’t have a mobile phone linked to it at all, only a backup email:
0959989-F-DA79-4-A86-8803-4-BAD116-AA786.png
DBCE1-A51-2-D88-48-C3-9232-831-C334-C0-FF8.png
 
You just need a backup email for security notifications. For a 2FA failsafe, backup codes are provided, by TechSpot, Google, and most others. I find about half of sites support app-based authentication without any phone number whatsoever.

Anyways, I just confirmed I have a Google account that doesn’t have a mobile phone linked to it at all, only a backup email:
0959989-F-DA79-4-A86-8803-4-BAD116-AA786.png
DBCE1-A51-2-D88-48-C3-9232-831-C334-C0-FF8.png

I used to have Google Auth on one of my phone years ago and I could swear it required a phone number, but it's possible that my memory is failing me. Might also be possible that requirements change depending on what country you're in (for some services, authentication requirements tend to be more lax if you're in the US). But I'll install it and give it a try eventually.
 
It sounds like Google is desperate to get our contact number, thus, this mandatory move. For years, they have been prompting me to input a number in case Gmail account gets stolen, but without much success. This is one way to make sure you provide a real number that you will be actively using if you want to continue using Google products.

I think there is nothing wrong with people being wary of Google's intentions. Google is after all a data company that will collect any data that will benefit advertisers, and phone number is obviously an important one for them to reach out to you "personally".
 
Yeah, no. People complaining about their phone numbers becoming "compromised" or sold for advertising is almost dangerously false.

2FA doesn't require a phone number. If you use a TOTP-enabled app like Google Authenticator, or my preferred one, Authy, you can use virtually any device, regardless of internet connectivity or phone number status, as a second factor for authentication. Verify-By-SMS is actually one of the WORST ways to do 2FA, as SIM-swapping attacks are common. And the type of authentication that Google is enabled doesn't even require a phone number -- it sends the prompt directly to an eligible Android device.

And by the way, Google taking your information without consent is literally illegal in certain countries they operate in. It's okay to be wary about corporate actions, but please don't push unfounded conspiracy, especially when following it decreases personal privacy and security.
 
Yeah, no Thank You Google. What would work MUCH better is to enforce secure password structure, IE, requiring a password to be of sufficient length and complexity. Minimum of 12 characters, with at least one each of the following: Capitalized letter, Number and special character. Example: @Techspot714

While that may look easily guessed, it isn't. This is greatly better than 2FA all day, everyday.
No password protects from scenarios 2FA is designed to prevent (phishing - in case of physical 2FA, credential stuffing, keylogging, other password leaks), so please stop spreading malicious advice. If you don't want 2FA, don't use it, but do not claim stronger passwords are "better", because that's not the case. 2FA and password completement each other, they are not substitutes.
 
I've been using 2FA since I had a couple devices breached with what I think was a 0-day flaw on the router I was using at the time. They obviously got into my Google account and they used Google Drive to move tons of files to and from my PC. I noticed special Linux builds that were transferred over to my system, as well as other things moved off my system that were sensitive.

At this point, I realized just how critical your Google account password is. I mean, even a person like me, that doesn't put everything on their phone, risks A LOT if someone were to get in. After securing my devices, I turned on 2FA and use an authentication app instead of SMS, since it's far more secure still.

But here's my question... WTH does Google keep sending me a notification about my birthday? They REALLY want me to put my exact birthday into my profile because they just won't stop asking for it. Why do they need that so badly? I'm getting tired of these companies making a fortune off of my info.
 
I used to have Google Auth on one of my phone years ago and I could swear it required a phone number, but it's possible that my memory is failing me. Might also be possible that requirements change depending on what country you're in (for some services, authentication requirements tend to be more lax if you're in the US). But I'll install it and give it a try eventually.
You don’t need to use Google Auth, you can use any authenticator app because it’s standardized technology. I personally use Microsoft Authenticator with all my accounts including my Google accounts, but there are hundreds of options out there. I recommend finding something with an option to backup your codes.
 
I've been using 2FA since I had a couple devices breached with what I think was a 0-day flaw on the router I was using at the time. They obviously got into my Google account and they used Google Drive to move tons of files to and from my PC. I noticed special Linux builds that were transferred over to my system, as well as other things moved off my system that were sensitive.

At this point, I realized just how critical your Google account password is. I mean, even a person like me, that doesn't put everything on their phone, risks A LOT if someone were to get in. After securing my devices, I turned on 2FA and use an authentication app instead of SMS, since it's far more secure still.

But here's my question... WTH does Google keep sending me a notification about my birthday? They REALLY want me to put my exact birthday into my profile because they just won't stop asking for it. Why do they need that so badly? I'm getting tired of these companies making a fortune off of my info.
I went with Authy and downloaded some codes just in case.

I gave Google my birthday minus the proper day. They've never bothered me about it.
 
Yeah, no Thank You Google. What would work MUCH better is to enforce secure password structure, IE, requiring a password to be of sufficient length and complexity. Minimum of 12 characters, with at least one each of the following: Capitalized letter, Number and special character. Example: @Techspot714

While that may look easily guessed, it isn't. This is greatly better than 2FA all day, everyday.
These complexity "arguments" are, and have been, outdated since at least 2017. Why? They make passwords much harder to remember.

Interested in knowing more? Have a look at this - https://pages.nist.gov/800-63-3/sp800-63b.html
 
It sounds like Google is desperate to get our contact number, thus, this mandatory move. For years, they have been prompting me to input a number in case Gmail account gets stolen, but without much success. This is one way to make sure you provide a real number that you will be actively using if you want to continue using Google products.

I think there is nothing wrong with people being wary of Google's intentions. Google is after all a data company that will collect any data that will benefit advertisers, and phone number is obviously an important one for them to reach out to you "personally".
And they are also desperate for a verifiable birth date claiming it is needed to comply with "Law". You will no longer be able to circumvent the verification process. Yet more BS from the kings of parasitism.
I went with Authy and downloaded some codes just in case.

I gave Google my birthday minus the proper day. They've never bothered me about it.
That will no longer happen. They are now enforcing some kind of age verification.
 
If none of that is required, then I haven't heard of it. Anyways, for the kind of 2FA you describe, the service must support it. Personally I still wouldn't use it because like I have said, for me the inconvenience of 2FA far outweighs the risks of not using it except for the most critical services. So I hope it remains an optional thing.
Yes, that is an issue. My primary banks both use phone-based 2FA only which makes me grind my teeth. NewEgg supports app-based 2FA but seems to prefer defaulting to SMS or email (at random). But the number of services that support app-based natively is large and growing.

That said no matter how good you think your password security is, the service you're using also has to have good security, and that just isn't a given. 2FA is basically a door chain for the lock and key of username and password, a final layer of defense for when all else fails.

As an aside, if anyone is looking for a good 2FA app, I really like Aegis:

https://fossdroid.com/a/aegis.html

It's open-source and allows you to make automatic encrypted backups of all your 2FA without obnoxious ads or attempts to sell you a service.
 
ANY service that requires to use my cell phone number for ANYTHING will get canceled. There is ZERO reason to force a user to enter a cell phone number.
 
Back