Encouraging users to make security work.
That’s the top-line finding four months into Google’s initiative to enroll users in two-factor authentication by default, detailed in a blog post coinciding with Safer Internet Day on Feb. 8.
In October 2021, the company announced plans to enable two-factor authentication by default for 150 million Google users who are not currently using the service, and to require 2 million YouTube creators to use it. In its latest post, Google says it has seen a 50 percent decrease in the number of accounts compromised among that test user group.
The strategy shows the strength of a tech giant like Google to provide security by default and fits into a years-long project to move users toward a more robust security model — ultimately aiming for a password-free future, according to another blog post published by the company last year.
Two-factor authentication, or “two-step verification” (2SV) as Google calls it, is a core pillar of this strategy, as account security is greatly increased by the requirement for a physical item such as a security key or phone to receive codes via app or text message. But historically, the problem has been one of adoption.
In 2018, a Google engineer revealed that more than 90 percent of active Gmail accounts were not using two-factor authentication, raising the question of why Google wouldn’t mandate the two-step verification process. Since then, the company has been on track to make 2SV a standard option for a wider range of users and a mandatory step for some.
According to Google representatives, one of the remaining barriers is a lack of understanding of the full benefits of additional authentication procedures.
“There’s a lot to learn with 2SV, and we want users to understand what it is and why it’s useful,” said Guemmy Kim, director of account security and safety at Google.
“We also need to make sure that users’ accounts are properly set up with a recovery email and phone number so that they can avoid account lockouts once 2SV is enforced. We have already enrolled users that we consider to be early adopters and whose accounts were 2SV ready,” Kim said.
While the number of web services that support two-factor authentication has grown steadily, consumer adoption remains low. Twitter, which rolled out two-factor authentication in 2013, revealed in 2020 that only 2.3 percent of active accounts had it enabled; at Facebook, that figure was around 4 percent adoption in 2021.
Where adoption exists, the most common 2FA option is sending one-time codes via SMS – which security experts consider the method most vulnerable to interception. Ideally, two-factor authentication should use an authentication app, such as Google Authenticator or Authy, or a physical device such as a hardware security key.