A Google account sits at the heart of the internet experience for billions of users worldwide. Protecting it is paramount if services such as Gmail, Google Docs and Google Photos are to remain secure. This is why a new Google update impacting how two-factor authentication is enabled could be a pivotal moment for millions. Complexity is the enemy of security, at least when it comes to the end-user engaging with more secure ways of doing things. This is why this update is actually a ‘down-date’ as it introduces a simplified experience for adding 2FA to any Google account.
Less Is Definitely More When Talking SMS Authentication
The announcement from the Google Workspace Team, A simplified experience for Workspace users to add 2-Step Verification (2SV) methods, delivers pretty much what it promises. The old way of implementing 2FA setup for Google account holders involved a requirement to provide a telephone number before they could even think about choosing what type of second-factor was to be employed for the account login process. Understandably, people are both weary and wary of handing over telephone numbers these days. Not only is this an unwanted complication for many reading about 2FA and wanting to implement it on one of their most important accounts, but it’s also not the most secure of verification methods either.
Google doesn’t implicitly mention the downsides of using SMS or voice messages as a verification factor in the announcement, but it does in a linked 2FA support document which warns users “Although any form of 2-Step Verification adds account security, verification codes sent by texts or calls can be vulnerable to phone number-based hacks.”
The new 2FA update from Google means that users no longer have to enter a telephone number as a second factor just to switch the security system on. Instead, users will now be able to choose which second-factor methods they want to use, crucially, before enabling 2FA itself. So, rather than being forced into adding the relatively insecure SMS method, you will now be able to remove it from the security equation altogether.
Google Confirms Rapid Release Of 2FA Update
Google has said that the update should be available to all users, both Workspace customers and personal Google account holders, by May 9 at the latest. One thing that Google has flagged regarding the change is that whereas before the update, “all second factors would be removed when the user turned 2SV off,” that’s no longer the case. Instead, when a user disables 2FA, their enabled second factors, including Google Authenticator and any backup codes, as well as the second-factor phone number, will not be deleted automatically from the account. However, when a Google Workspace administrator turns off 2FA for a user then all second factors will be removed to “ensure user off-boarding workflows remain unaffected.”