Google to make multi-factor authentication its default mode

"If they succeed this will probably be one of the most important cybersecurity improvements this decade," one security researcher said.
General views of the Google Irvine offices on October 23, 2020 in Irvine, California. (Photo by AaronP/Bauer-Griffin/GC Images)

Google will soon enroll users into multi-factor authentication by default, the technology giant said on Thursday.

In a blog post commemorating World Password Day, the company announced the move to make users sign in via a second step after entering a password, such as a phone app.

“Today we ask people who have enrolled in two-step verification (2SV) to confirm it’s really them with a simple tap via a Google prompt on their phone whenever they sign in. Soon we’ll start automatically enrolling users in 2SV if their accounts are appropriately configured,” wrote Mark Risher, director of product management, identity and user security. “Using their mobile device to sign in gives people a safer and more secure authentication experience than passwords alone.”

While multi-factor authentication isn’t entirely foolproof, and users will be allowed to opt out, Google’s embrace of automatically enrollment could be a big security boon. Microsoft said its studies concluded that multi-factor authentication makes someone’s account 99.9% less likely to be compromised.


A noted security researcher applauded Google’s decision.

“If they succeed this will probably be one of the most important cybersecurity improvements this decade,” tweeted Matt Tait, a former analyst at British spy agency GCHQ and now chief operating officer at the security research firm Corellium.


Google intends the move as but one temporary solution to the problems posed by passwords, “the single biggest threat to your online security,” Risher wrote.


“One day, we hope stolen passwords will be a thing of the past, because passwords will be a thing of the past, but until then Google will continue to keep you and your passwords safe,” he said.

That includes the recent launch of Password Import, which allows users to to upload up to 1,000 passwords at once into Google’s Password Manager from outside sites.

Google’s decision comes as the Biden administration is planning its own push for multi-factor authentication within federal agencies.

Latest Podcasts