Google has started forcing some account holders to use two-factor authentication (2FA).
While such a step is a positive one for security, the Android Police website has found that many users appear to be more concerned about the inconvenience such a step could cause them. Presumably they’ve never encountered the inconvenience of having their email accounts hacked or having their details used to commit fraud!
Google has also been pretty publicly disclosing plans to auto-enrol users onto 2FA for at least six months, so this development shouldn’t come as too much of a surprise.
Change won’t actually affect many users
Although having a mandatory requirement for 2FA seems like a big step, in real terms, it will likely only affect users who access their Google accounts in specific ways.
For example, if you have an Android phone with Google Play or an iPhone or iPad with Google apps installed, these devices are already set up to be the second factor. As such, if you always check your Gmail account via your phone or iPad using the official app, it’s unlikely you’ll notice any difference.
For all other users, 2FA will provide an added layer of security when accessing emails or other Google services using your account via a desktop browser or an unknown device.
It’s also worth noting that you’ll only need to use 2FA the first time you log in from a new device or location. After that, you’ll be able to set up “Trust this device” settings to ensure you can log in quickly in future.
These protections mean that if your Google account credentials are involved in a data breach, hackers should be unable to access your account. However, this will also be largely dependent on the methods you choose for using 2FA.
You will only be auto-enrolled into 2FA if your account has a phone number or another email address associated with it.
Choosing a 2FA method to stay secure
If your account is able to move to 2FA, Google will take you through the process of setting it up. You’ll initially have two options:
- Push notifications sent to your smartphone
- Temporary one-time passcodes sent to your phone via SMS
Opting for push notifications is the most secure method, as you’ll almost always have your phone on you. In contrast, one-time passcodes can be intercepted by stolen or forwarded phone numbers, granting criminals access to your Google account without your knowledge while appearing to be you.
What about authenticator apps?
You’ll need to set up one of the above methods first before you can connect your Google account to an authenticator app. The same is true if you wish to use USB security keys as your 2FA method.
Is there anything else you can do to stay safe?
Yes, but it comes at a price.
Hardware security keys can be carried around on your person at all times, and when you need to provide 2FA you simply plug them into your computer or connect wirelessly to your device. However, hardware security keys typically cost at least £25 for a basic model, but that could be a small price to pay for the peace of mind that comes with robust security!