There was an uproar that it would be mandatory, but Google clarified that is not the case
In a nutshell: World Password Day was last Thursday. In honor of the day, Google announced that it would soon make two-factor authentication default for all Google services users. Additionally, it will automatically enroll “appropriately configured” accounts. Appropriately configured means people who already have a recovery method in place, like a secondary email or phone number.
Keeping your online accounts is of utmost importance. Yet year after year, we see the most common passwords continue to be easy to guess strings like 123456, 123456789, password, or 111111. What makes matters worse is users tend to use them on multiple accounts. Having one’s email compromised is one thing, but if the same credentials are used for other sites like a bank, the consequences could be devastating. Google announced it would mitigate this risk for its users by making two-factor authentication (2FA) a default security setting.
What two-factor authorization does is add an extra step to the sign-in process. After entering their password, users will get a notification (usually via text message to their phone) that someone is trying to access their account. They can verify that it is them usually by either entering a random six-digit code in the message or by tapping an “accept,” “allow,” or “okay” button. Google calls it 2SV (two-step verification), and has had it optionally available for quite some time.
There is no arguing that 2FA is more secure than a password alone, but many users may not want to use it for various reasons. Arguably the most significant reluctance factor is that it requires them to trust their phone number to a company known for selling personal information to advertisers. Spam and robocalling are already real problems that have caused many consumers to guard their numbers closely.
Another possible problem would be rare instances where the user does not have a phone number or shares it with another person. It was unclear how Google would handle situations like this. However, Director of Product Management for Identity and User Security Mark Risher clarified that users would be given the opportunity to opt-out of 2FA.
“More factors means stronger protection, but we need to ensure users don’t get accidentally locked out of their accounts,” Risher told PCWorld. “That’s why we’re starting with the users for whom it’ll be the least disruptive change and plan to expand from there based on results.”
Two-factor authentication by default is just the first step Google is taking to eliminate passwords completely.
“One day, we hope stolen passwords will be a thing of the past, because passwords will be a thing of the past,” said Google without expounding on what replacements it has in mind. The search giant also did not mentioned when it will implement the change, but users can expect it soon.