Illustration by Alex Castro / The Verge
Nudging users toward security works.
Thatâs the top-line finding four months into Googleâs initiative to enroll users in two-factor authentication by default, detailed in a blog post to coincide with Safer Internet Day on February 8th.
In October 2021, the company announced plans to turn on two-factor authentication by default for 150 million Google users who were not currently using the service and to require 2 million YouTube creators to use it. In the latest post, Google says it observed a 50 percent decrease in accounts being compromised among that test user group.
The strategy shows the power of a tech giant like Google to provide security by default and fits into a years-long project to move users toward a more robust security model â eventually aiming at a future without passwords, according to another blog post published by the company last year.
Two-factor authentication, or âtwo-step verificationâ (2SV) as Google terms it, is a core pillar of this strategy, since account security is significantly increased by the requirement for a physical item like a security key, or phone to receive codes via app or SMS. But historically, the problem has been one of adoption.
In 2018, a Google engineer revealed that more than 90 percent of active Gmail accounts were not using two-factor authentication, prompting questions as to why Google wouldnât make the two-step authentication process mandatory. Since then, the company has been on a path to make 2SV a default option for a greater share of users and a mandatory step for some.
According to Google representatives, one of the remaining barriers is a lack of understanding about the full benefits of additional authentication procedures.
âThere is a lot of educating that needs to happen with 2SV and we want users to understand what it is and why itâs beneficial,â said Guemmy Kim, director of account security and safety at Google.
âWe also need to make sure that usersâ accounts are set up correctly with a recovery email and phone number so they can avoid account lockouts once 2SV is enforced. Weâve already enrolled users that we deem to be early adopters and whose accounts were 2SV ready,â Kim said.
Although the number of web services supporting two-factor authentication has grown steadily, consumer adoption still remains low. Twitter, which rolled out two-factor authentication in 2013, revealed in 2020 that only 2.3 percent of active accounts had enabled it; at Facebook, the figure was around 4 percent adoption in 2021.
Where adoption exists, the most common 2FA option is to send one-time codes via SMS â which security experts consider the method most vulnerable to interception. Ideally, two-factor authentication should make use of an authentication app, like Google Authenticator or Authy, or a physical device like a hardware security key.