Google really wants you to stop relying on your password alone to protect yourself.
On Thursday, the company announced in a blog post that it will prompt pretty much all users to turn on two-factor authentication, and will ask people already enrolled to confirm they are who they say they are. And soon, the company will automatically get all users to have two-factor enabled.
"We’re starting with the users for whom it’ll be the least disruptive change and plan to expand from there based on results," Mark Risher, Google's Director of Product Management, Identity and User Security, told Motherboard in an email. "Our ultimate goal is to get everyone into a more protected and secure state by default."
In a blog post published Thursday, Risher explained the reasoning for this change.
"Passwords are the single biggest threat to your online security—they’re easy to steal, they’re hard to remember, and managing them is tedious," Risher wrote in the post.
The first step in the process will be to start with people who already have enabled two-step verification "to confirm it’s really them with a simple tap via a Google prompt on their phone whenever they sign in," Risher explained.
Those are users who regularly sign in into their Google accounts on mobile phones, and have some form of recovering their accounts if they lose their passwords, such as a recovery phone number and email. And users will be able to opt-out if they want, Risher told Motherboard.
Do you do research on passwords or multi-factor authentication? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Two-factor authentication, also known as multi-factor authentication or 2-step verification as Google refers to it, is a security mechanism by which you need to provide something else other than your password to log onto your account. That something else can be a code sent to your phone or provided by an ad hoc app such as Google Authenticator or Authy.
"For nearly all people/threat models, this is really great," Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, told Motherboard in an online chat.
Security experts have been recommending and pushing users to turn on two-factor on all their accounts, especially those as sensitive as their email and social media accounts, for years. In the Motherboard Guide to Not Getting Hacked, we wrote that "You should do this for any account that offers two-factor authentication, but you should especially make sure you do it on your most important ones (your email, your Facebook, Twitter accounts, your banking and financial accounts.)"
Risher said that the company has already "begun automatically enrolling a small user group, we will be expanding that pool over the coming months."
This is not the first time the company takes a similar decision to improve internet security. In 2016, the company announced that it was going to flag all websites that did not use HTTPS web encryption in an attempt to shame them to fix that.
Subscribe to our cybersecurity podcast CYBER, here.