Google plans to make multifactor authentication (MFA) compulsory for Google account holders to better protect them from compromise in an increasingly dangerous and sophisticated threat landscape.
Announced by Mark Risher, Google director of product management, identity and security, to coincide with World Password Day, the change reflects the increasing vulnerability of traditional single password-based authentication to malicious actors.
“In 2020, searches for ‘how strong is my password?’ increased by 300%,” wrote Risher in a blog post. “Unfortunately, even the strongest passwords can be compromised and used by an attacker – that’s why we invested in security controls that prevent you from using weak or compromised passwords.
“At Google, keeping you safe online is our top priority, so we continuously invest in new tools and features to keep your personal information safe, including your passwords.
“On World Password Day, we’re sharing how we are already making password management easier and safer, and we’re providing a sneak peek at how our continued innovation is creating a future where one day you won’t need a password at all.”
Google already has multifactor authentication – it refers to this as two-step verification or 2SV – available to account holders as an option, and at present, when enrolled users log in, they are asked to confirm that it is really them with a tap via a Google prompt on their smartphone.
“Soon we’ll start automatically enrolling users in 2SV if their accounts are appropriately configured,” said Risher. “Using their mobile device to sign in gives people a safer and more secure authentication experience than passwords alone.
“We are also building advanced security technologies into devices to make this multifactor authentication seamless and even more secure than a password. For example, we’ve built our security keys directly into Android devices, and launched our Google Smart Lock app for iOS, so now people can use their phones as their secondary form of authentication.”
Welcoming the change, ProPrivacy’s Ray Walsh said Google’s decision was a “great way” to make sure users are not putting themselves at risk by failing to implement all the security available to them.
“If Google sees that someone already attached an account to a phone number or a secondary email address, it will prompt that user to begin making use of MFA,” he said. “This will greatly reduce the risk of an account being penetrated due to the use of a password alone.
“While not all users may want to implement MFA because they prefer the ease of use and convenience, in reality this is something that is designed to help those users and to protect their accounts.
“Google will only make it mandatory for people who have already provided linked information to begin using 2FA, meaning that users will not be forced to provide any additional data to Google.”