Google wants people to use 2FA, so its just going to turn it on for them – Ars Technica

Cartoon image of laptop and a hand holding a smartphone illustrate multifactor authentication.

Enabling two-factor authentication (2FA) on a Google account requires someone who is proactive about account security. Users have to log in, dig through the settings, and tick the right boxes. Of the billions of Google accounts out there, the uptake on 2FA is probably not that high, and Google is tired of it.

Yesterday, for “World Password Day,” Google announced a very bold move for account security. “Soon,” the company says, it will start “automatically enrolling” users in 2FA, provided their accounts are appropriately configured. Google doesn’t go into detail about what “appropriately configured” means, but it sounds like anyone who can have 2FA enabled will have 2FA enabled soon. Google’s preferred 2FA method is the “Google Prompt,” a notification Google pushes to your phone when you’re attempting to sign in. Rather than requiring you to type in a clunky code, the Google Prompt provides a simple “yes/no” check, making 2FA easier than ever.

On Android, Google Prompt is a full-screen pop-up built into every device as part of Google Play Services, so that’s easy. On iOS, Google Prompt requests for your account can be received by the Google Search app, the Gmail app, or the dedicated Google Smart Lock app. It sounds like everyone meeting these requirements will soon be enrolled in 2FA.

Most users stick with the default settings, and soon, the default setting for 2FA will be automatic enrollment. Non-tech-savvy users are the most likely to have not enabled 2FA on their accounts, so hopefully, they’ll still be able to figure out how to log in when the process suddenly changes. Google could also potentially lock someone out of an account if the company automatically enrolls a user in 2FA and the user’s device setup can’t actually support it. Hopefully, the first attempt includes some kind of wiggle room or consent.