Google Enhances Account Security with Simplified 2FA Setup
Google is introducing a streamlined process for setting up two-factor authentication (2FA) on its platform, making it easier for users to protect their accounts from unauthorized access.
Simplified Setup: No More Phone Number Required
Previously, users had to provide their phone number as the first step in enabling 2FA. Now, they can directly add a “second step method,” such as an authenticator app or a hardware security key. This eliminates the need to rely on SMS verification, which can be less secure.
Multiple Options for Second Step Methods
Google offers two options for second step methods: time-based one-time passcodes generated by authenticator apps (e.g., Google Authenticator) and hardware security keys. These methods provide an extra layer of security by requiring a physical device or time-sensitive code in addition to the user’s password.
Hardware Security Keys: Two Registration Methods
Users with hardware security keys can register them through two methods. The first involves registering a FIDO1 credential, while the second involves creating a passkey and following instructions to “use another device.” The latter method registers a FIDO2 credential and requires the key’s PIN for local verification.
Passkey and Password: Organization Policy Restrictions
Google emphasizes that users with Workspace accounts linked to organizations may still need to use their password along with their passkey. This depends on the organization’s security settings and whether the “Allow users to skip passwords at sign-in by using passkeys” policy is enabled.
Second Factors Not Automatically Removed
Previously, disabling 2FA would automatically remove all associated second step methods. Now, these methods (backup codes, Google Authenticator, etc.) will not be automatically deleted if the user turns off 2FA. However, an administrator may remove them from the admin console.
“We’re simplifying how users turn on 2-Step Verification (2SV), which will streamline the process, and make it easier for admins to enforce 2SV policies in their organizations,” Google explained in a blog post.
Wide Availability and Quick Rollout
The updated 2FA setup process is rolling out to Workspace users and individuals with personal Google accounts. Google anticipates completing the rollout within three days.
By simplifying the 2FA setup process and offering flexible second step methods, Google is empowering users to enhance their account security and minimize the risk of unauthorized access to their data.