Google will auto-enrol 150 million users in 2FA by end of 2021

Google has announced plans to automatically enrol an additional 150 million users in two-factor authentication (2FA) by the end of 2021.

Known as two-step verification (2SV), the security feature combines the use of a password with a mobile device or a security key in order to diminish the chances of unauthorised access to accounts and networks. For instance, users signing in to their Gmail account, particularly when using a new computer for the first time, are asked to tap a prompt on their smartphone to authorise the login.

In a blog post published on Tuesday, the tech giant stated that enabling security protections by default is “the best way to keep [their] users safe”, which is why it's moving to ensure that more accounts have the 2SV feature switched on:

“By the end of 2021, we plan to auto-enrol an additional 150 million Google users in 2SV,” it announced, adding that an additional two million YouTube creators will be required to turn the feature on by the end of the year.

The tech giant acknowledged that not everyone has access to a smartphone or a security key, noting that it is “working on technologies that provide a convenient, secure authentication experience and reduce the reliance on passwords in the long-term”.

“We know security keys provide the highest degree of sign-in security possible, that’s why we've partnered with organisations to provide free security keys to over 10,000 high-risk users this year,” it stated.

Google said that users will be able to benefit from built-in security key capabilities in Android phones as well as its Google Smart Lock app for iOS, adding that its 2SV technology is automatically supported by “two billion devices around the world”.

In a Twitter post, Google product manager Sriram Karra said that today’s announcement “is just the beginning”.

“The 150m 2SV user count is staggering already if you look at it in the broader industry context. For e.g. Twitter recently announced ~2.5% of its ~350m active users have 2SV - that's ~9m user accounts,” he stated.

Companies across the tech industry have been working to strengthen account security and minimise users' reliance on passwords. In June, Twitter announced that its users would be able to use a security key as their only 2FA method, while in September, Corporate VP of Microsoft Security, Compliance and Identity, Vasu Jakkal, stated that customers “can now completely remove the password from [the] Microsoft account”.

However, 2FA has also been the target of cyber criminals. Earlier this week, Coinbase sent out letters to 6,000 customers informing them that hackers managed to exploit “a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor (2FA) authentication token”.