Millions of Google and YouTube users to be automatically signed up to 2FA

150 million Google and 2 million YouTube users will be auto-enrolled into having two-step authentication (2FA) on their accounts by the end of the year, they announced on Tuesday.  

AbdelKarim Mardini, group product manager at Chrome and Guemmy Kim, director of account security and safety, explained the importance of 2FA and why they felt it was important to impose this on their users.  

“We know that having a second form of authentication dramatically decreases an attacker’s chance of gaining access to an account,” they said.  

“Two-step verification (2SV) is one of the most reliable ways to prevent unauthorised access to accounts and networks … and because we know the best way to keep our users safe is to turn on our security protections by default, we have started to automatically configure our user’s accounts into a more secure state.” 

You can learn more about the importance of 2FA, particularly from a business standpoint, here. 

Passwords, even very strong ones, are now often not considered sufficient to keep your account safe; so additional verification methods are required. Hence the move to introduce 2FA.  

“2SV is strongest when it combines both ‘something you know’ (like a password) and ‘something you have’ (like your phone or a security key),” according to Mardini and Kim.  

The pair also claim “Google has been at the forefront of innovation in two-step verification” and their method of 2FA makes it easy to adapt as their ‘Google prompt’ simply requires a tap on your phone to prove it is you trying to sign in. 

A change in approach 

Just 3 years ago at Usenix’s Enigma Security conference in 2018 Google software engineer Grzegorz Milka revealed that less than 10 percent of their active users had adopted 2FA.   

Milka was concerned at the time about “how many people would we drive out if we force them to use additional security.” 

Now, however, Google feels the time is right to take a more proactive approach; “By the end of 2021, we plan to auto-enroll an additional 150 million Google users in 2SV and require 2 million YouTube creators to turn it on.” 

Not everyone is included 

Although this may be considered one of the early steps in the introduction of more forceful security measures, they are choosing not to roll it out to everyone currently. 

“We also recognize that today’s 2SV options aren’t suitable for everyone,” they said. 

“We are working on technologies that provide a convenient, secure authentication experience and reduce the reliance on passwords in the long-term. Right now we are auto-enrolling Google accounts that have the proper backup mechanisms in place to make a seamless transition to 2SV.” 

The proactive introduction of 2FA may be viewed as an important step in the never-ending battle to combat cyberthreats, but it is not totally unbreachable. Attackers are now finding ways to circumvent these security protocols too, such as through the use of Telegram bots.