Google to start automatically enrolling users in two-step verification "soon"

Google to start automatically enrolling users in two-step verification “soon”

If you use a Google account, it may soon be mandatory to sign up to Google’s two-step verification program. As recently as 2017, a tiny amount of GMail users made use of its two-step options. Maybe the uptake is still slow, and Google has decided enough is enough. With so much valuable data stuffed inside Google accounts, it’s beyond time to ensure they’re locked down properly.

It’s enrolment time

With this need for security in mind, Google has announced the roll-out of automatic two-step verification. If your account is “appropriately configured”, you’ll be ushered into a land of extra security measures. There doesn’t seem to be any additional information about what “appropriately configured” means yet. The Google blog cites the security check-up page, but that simply lists:

  • Devices which are signed in
  • Recent security activity from the last 28 days
  • 2-step verification, in terms of sign-in prompt style, authenticator apps, phone numbers, and backup codes
  • Gmail settings (specifically, emails which you’ve blocked)

How this translates into “Hello, we’re going to enrol you into our two-step verification program”, I’m not entirely sure. Perhaps they’ll add more specific requirements which need to be met to enable the enrolment process at a later date. If the requirement is a minimum level of setting up various security options, then only the most security conscious might be asked to enable it in the first place. This would surely mean those in most need of security fine-tuning, won’t get it.

The password problem

Questions how this will work aside, Google continues to keep plugging away at the eternally relevant password problem. Their password import feature allows people to save passwords as a CSV file, then port it into Chrome. If you’re hopping from one password manager to another, and have a lot of yourself tied into Google services, this may be ideal.

We’re all impacted by weak security. Compromised logins have a knock-on effect for everybody. When your email is broken into, it allows attackers potential access into every account tied to it. A few password resets later, and one account used for spam is now multiple accounts spamming, sending infections, social engineering, the works. This is how people quickly build up small armies of compromise and go about their shenanigans on a daily basis.

It doesn’t have to be a major campaign. The operators don’t have to be criminal masterminds. A couple of random people with a little bit of tech know-how can quickly figure out how to monetise a few dozen stolen accounts. That’s how you eventually do end up with major campaigns, with more work for law enforcement and security researchers to figure out who the new kids on the block are.

Step up, and lock down

By keeping your accounts secure, you’re not just helping yourself. You’re helping everybody, and preventing them losing their savings or non-compromised PC to attackers leveraging your bad password practices. This is a good thing to keep in mind as we wave goodbye to this year’s World Password Day. It’s never too late to start brushing up on your passwords. Get yourself familiar with a couple of password managers and pick the right one for you.

Lock down your master password. Set up restrictions on who can login, and how. Make it so that only people in your specific geographical region can log in. Make yourself some backup codes, print them off, put them somewhere safe in case you lose master password access. Just a few of these steps will go a long way towards keeping both yourself and others much more secure than you were previously. There can’t be any better way to close out the week playing host to World Password Day than that.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.