Google will automatically activate two-factor authentication for its users

mylesillidge

mylesillidge

Journalist
Joined
Jul 29, 2021
Messages
3,903
Reaction score
4,134
Google to force two-factor authentication on users

Google has begun automatically enrolling users for two-factor authentication — or two-step verification (2SV), as Google terms it — as part of its plan to make sign-in more secure for all users.

"By the end of 2021, we plan to auto-enroll an additional 150 million Google users in 2SV," Google said in a statement.
 
This is good news, more online services should be enforcing 2FA. I have helped some tech inept people get 2FA going on various accounts, and once they get the concept it becomes easy and natural as part of the login process.
 
2FA is a best practice, but the problem remains account recovery. Though I have noted lately, that in some service terms that in the case that 2FA is lost that account recovery is void with which I don't agree with, and yes, there are still steps to recover in accordance with the terms, but these processes dig deep into the user's privacy.

Imagine like owning +R100 000 in 'use licenses' on Steam and you lose your 2FA... This is a bad example, since Steam does allow multiple recovery methods.
 
Fulcrum29 said:
2FA is a best practice, but the problem remains account recovery. Though I have noted lately, that in some service terms that in the case that 2FA is lost that account recovery is void with which I don't agree with, and yes, there are still steps to recover in accordance with the terms, but these processes dig deep into the user's privacy.

Imagine like owning +R100 000 in 'use licenses' on Steam and you lose your 2FA... This is a bad example, since Steam does allow multiple recovery methods.
Click to expand...

That's why you print out the recovery codes and stick it on your pc like the passwords of old..
 
  • Haha
Reactions: Swa
Fulcrum29 said:
2FA is a best practice, but the problem remains account recovery. Though I have noted lately, that in some service terms that in the case that 2FA is lost that account recovery is void with which I don't agree with, and yes, there are still steps to recover in accordance with the terms, but these processes dig deep into the user's privacy.

Imagine like owning +R100 000 in 'use licenses' on Steam and you lose your 2FA... This is a bad example, since Steam does allow multiple recovery methods.
Click to expand...

Agreed. You can force 2FA unto someone now, get them to use it and all will be well. Until they change their mobile phone and realize that the app doesn't just work any more. If they still have your number, expect a tech support call at the next phone upgrade time.
 
Well great Google but I don't have an Android phone. So don't identify me as using your services. 2FA is great but often people don't know how to use it or what its purpose is. Binance is a prime example where it used to ask me for a code when changing browsers but now it asks me for one every time. I can only turn it on or off and not the way it used to be which is just dumb. I see more and more going in this direction which really defeats the purpose and doesn't make it more secure.
 
Tacet said:
Agreed. You can force 2FA unto someone now, get them to use it and all will be well. Until they change their mobile phone and realize that the app doesn't just work any more. If they still have your number, expect a tech support call at the next phone upgrade time.
Click to expand...
this, see it all the time with so many variations.
people love simple, hate complicated and difficult to understand.
 
GhostSixFour said:
That's why you print out the recovery codes and stick it on your pc like the passwords of old..
Click to expand...
Until those recovery codes are accessed and used to takeover your account. Better stick it in a place where the sun don't shine, and you can't rely on encryption, there is always a window. Because you know sticking codes on your PC is as good as having 'password' as your password.
 
Tacet said:
Agreed. You can force 2FA unto someone now, get them to use it and all will be well. Until they change their mobile phone and realize that the app doesn't just work any more. If they still have your number, expect a tech support call at the next phone upgrade time.
Click to expand...
The biggest exploit remains the user because they don't know how to protect themselves. Forcing 2FA on them won't train them to better protect themselves. The more and more we move commercially online, so does our identities. Computer literacy should now be a necessity.
 
eg2505 said:
I see it all the time with some people who dont know how 2FA works,
start panicking they cant login to Google, or cant get gmail suddenly.
Click to expand...
How? You login, the Google dialog gives you the options and what flow is expected…
Where is the panic?

I see everyone still confusing 2FA to mean TOTP.
 
Last edited:
DA-LION-619 said:
How? You login, the Google dialog gives you the options and what flow is expected…
Where is the panic?

I see everyone still confusing 2FA to mean TOTP.
Click to expand...
we will see when it rolls out, my guess it there will be a panic with lots of people not sure what is being asked from them,
and the support calls flooding in.
 
eg2505 said:
we will see when it rolls out, my guess it there will be a panic with lots of people not sure what is being asked from them,
and the support calls flooding in.
Click to expand...
So no panic yet? Probably never if people read the dialog.
 
Fulcrum29 said:
Until those recovery codes are accessed and used to takeover your account. Better stick it in a place where the sun don't shine, and you can't rely on encryption, there is always a window. Because you know sticking codes on your PC is as good as having 'password' as your password.
Click to expand...

Yes. Which is why I actually have mine saved on a USB drive infected with ransomware. If someone tries to take it, their PC will be fuk.
 
DA-LION-619 said:
How? You login, the Google dialog gives you the options and what flow is expected…
Where is the panic?

I see everyone still confusing 2FA to mean TOTP.
Click to expand...

Try and explain 2FA to your 80 year old mother who lives 2000km away and has all but lost her hearing so talking her through it on the phone is a labour of love.
I am panicking over that, let me tell you.

But that aside, I as an IT person am so glad Google is taking the punch to the nads on this - makes my job enforcing 2FA to clients and internal users MUCH easier to defend.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X