Auto-enrolment begins for Google multi-factor authentication

Search and web giant Google has set in motion plans to introduce mandatory multi-factor authentication (MFA), often known as two-factor authentication (2FA) for account holders, and intends to transition 150 million users to the more secure system by the end of 2021.

First announced in May 2021, the changes reflect both the vulnerability of traditional single password-based authentication to cyber criminals and other malicious actors, and the general unwillingness of consumers to adopt MFA – which Google refers to as two-step verification (2SV) – usually citing added inconvenience.

In an announcement marking Cyber Security Awareness Month, Google’s director of account security and safety, Guemmy Kim, and group product manager for Chrome, AbdelKarim Mardini, wrote: “In addition to passwords, we know that having a second form of authentication dramatically decreases an attacker’s chance of gaining access to an account.

“For years, Google has been at the forefront of innovation in 2SV, one of the most reliable ways to prevent unauthorised access to accounts and networks. 2SV is strongest when it combines both something you know, like a password, and something you have, like your phone or a security key.”

Today, explained Kim and Mardini, Google users who have already signed up for MFA are asked to confirm their identity with a simple tap via a prompt on their smartphone when they log in. Going forward, users with “appropriately configured” accounts will now be automatically signed up for this – users can check their account status here. Besides the 150 million consumer accounts, it will also require YouTube creators to activate the feature.

Auto-enrolment will not, for now, impact organisations using Google Workspace, which can continue to enrol their users if they wish, via the admin console.

Kim and Mardini said that Google did recognise MFA is not always suitable for everyone, so it is continuing to work on technologies that provide a “convenient, secure authentication experience” while reducing reliance on passwords.

Some of this work has included building security keys into Android phones, and the launch of the Google Smart Lock app, which performs the same function on iOS devices. It also recently launched One Tap and Identity APIs called Google Identity Services, which use secure tokens to allow users to sign into partner websites and apps – such as Pinterest or Reddit.

“These new services represent the future of authentication, and protect against vulnerabilities like click-jacking, pixel tracking, and other web and app-based threats,” said Kim and Mardini.

Google is also encouraging users to sign up for its little-publicised Inactive Account Manager service, which safeguards accounts which users have stepped away from or no longer use for any reason – the compromise of an unused, inactive account on another service likely led to the impactful Colonial Pipeline ransomware incident earlier in 2021.

The service lets users tell Google when it should consider their account inactive, and whether it should delete the account and its data or entrust it to a trusted contact.

Users can sign up in their My Account settings, where they will be asked to set a period of inactivity that must elapse before Google takes any action – which can be between three and 18 months – as well as who to notify and what should be shared, such as photos, contacts, emails or documents. Users may specify up to 10 digital executors for their accounts, specify automatic notifications for anybody who tries to contact you via your defunct account, and whether the account should be deleted outright – including publicly-shared data.

“Setting up an Inactive Account plan is a simple step you can take to protect your data, secure your account in case it becomes inactive, and ensure that your digital legacy is shared with your trusted contacts in case you become unable to access your account,” said Sam Heft-Luthy, product manager at Google’s Privacy and Data Protection Office.