Google’s Two-Factor Authentication (2FA) Enforcement: All You Need to Know

cover image

To enhance account safety, major portal websites, social media platforms, and online shops have long ago made two-factor authentication (2FA) an option for their users. Google first launched its so-called two-step verification (2SV) in early 2011 in response to repeated attempts by authoritarian regimes to hack into the Gmail accounts of human rights activists. Soon later, tech giants like Microsoft, Twitter, Apple, and Amazon followed suit, making 2FA available to all account users. 

It has now been a decade since Google’s introduction of 2SV. During this time, social engineering and privilege escalation attacks have shown greater sophistication, primarily as a result of the increased usage of social media. Even though most businesses have adopted two-factor or multi-factor authentication (MFA), on the consumer-end, the adoption rate of 2FA or MFA remains extremely low, despite service providers continuously trying to encourage usage. Twitter reported that only 2.3% of all active accounts between July and December 2020 have 2FA enabled.


Google’s Decision

Due to the increased risk of social engineering attacks, Google now believes that having a second layer of authentication is no longer an option but a must for account security. In early October 2021, Google announced that it is in the process of auto-enrolling 2SV for an additional 150 million accounts, as well as 2 million accounts belonging to YouTube creators, by the end of 2021.


How to Use Google Two-Step Verification

Just like any other 2FA framework, Google’s 2SV combines knowledge-based authentication and possession-based authentication. Knowledge-based authentication verifies the user’s identity based on “something they know”, such as passwords, security codes, and answers to security questions. Possession-based authentication confirms the user’s identity based on “something they possess”, such as a phone, security key, or biometrics (i.e. fingerprint scan, facial recognition).

Google currently offers the following forms of authentication:


1. Phone Verification (Google Prompts)

Referred by Google as Google prompts, phone verification is the simplest authentication method for the average user. Once the user signs into their Google account using their phone, Google automatically registers the phone into their list of devices. The user can then use the phone as a second layer of authentication. After entering the correct password, a notification will pop up on their phone. The user then needs to open the notification to confirm and sign in.

What if I lose my phone? The biggest reason why people refrain from using phone-based authentication is that they are worried about being locked out of their account in case their phone is lost or stolen. To take this into account, Google provides backup options to prevent users from getting locked out of their accounts. Currently, two backup options are available; the user can either enter a secondary phone number so that a one-time password (OTP) would be sent on request, or print out a list of ten backup codes to be kept at a safe location, of which each backup code can only be used once.


2. Security Key

A security key is a physical device that acts as a key to the account, usually connecting through USB, NFC, or Bluetooth. Google accepts three types of security keys. The first is to use a compatible phone’s built-in security key. Most flagship Android devices, as well as iPhones and iPads, have an embedded NFC or Bluetooth-based security key that is readily available. The user only needs to select their phone as the security key during the 2SV setup process. However, note that only one security key can be paired with each account, meaning that users cannot have multiple devices act as security keys to the same account. 

Users could also purchase one of the Titan Security Keys made by Google, a USB device with NFC capability. Users can choose between the USB-A/NFC version and the USB-C/NFC version depending on their needs.

Lastly, users can purchase any of the third-party security keys compliant with the FIDO 2UF open authentication standard, most are sold between $20 and $60.


3. App Passwords

App passwords are not used for direct logins within Google’s domain. Instead, they are used when third-party apps ask permission to connect to the user’s Google account. Furthermore, App Passwords are not required for trusted apps that already have a “Sign in with Google” button. These are only used when an untrusted app wants to connect to the user’s Google account. As a result, Google does not recommend using them in the first place.

If a user wants to use App Passwords, their Google account must already be enrolled in 2SV. The user needs to select “App Passwords” during the Google login process and select the respective device and app, after which a 16-character login code for that specific app will be generated. Since most apps only require the user to log in once to connect their Google account, there is no need to remember the code.


Two-Factor Authentication is Key to Account Security

For a decade, the majority of online users resisted adopting 2FA due to perceived complexity and the fear of being locked out of their accounts. Google is now sending a clear message that having a password alone no longer guarantees security. As explained in this article, modern 2FA methods are no longer complicated and difficult to use, a simple tap from your phone or a mobile OTP is all that is needed.

Despite the low adoption rate in the consumer market, 2FA has long been a standard security practice in enterprises. iSIGN+ is an enterprise 2FA/MFA solution used by businesses, NGOs, and healthcare providers worldwide, securing business accounts and protecting IT resources from the risks of account compromise. iSIGN+ customers enjoy both security and simplicity thanks to its single sign-on (SSO) capability, requiring only one set of login credentials to manage all resources. 


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: iSIGN+ 

Car, Energy, Factory, City Solutions: Penta IoT Security