Google will begin automatically enrolling users in two-step verification

Posted:
in General Discussion
In an attempt to keep users' accounts secure, Google will soon require users to confirm their identity by accepting a prompt on their mobile devices.




Just in time for World Password Day, Google has announced that it will begin automatically enrolling users into its new two-step verification process. Users will soon be required to tap a Google prompt on their smartphone whenever they sign in to a Google service.

Users will be automatically opted in if their accounts are appropriately configured, though the company does not explicitly say what "appropriately configured" means.

Google points out that Android devices already feature Google's security keys, allowing users to receive Google prompts without installing a secondary app. For iPhone users, users will be required to install the Google Smart Lock app.

The move is designed to keep a user's email account safe in the event of a data breach. Google states that "66% of Americans admit to using the same password across multiple sites, which makes all those accounts vulnerable if any one falls."

While Google says they'd like to move forward for a password-free future, they also point out that Google's Password Manager allows users to create complex and unique passwords and store them in their Google account. The service is available for Chrome-based browsers, Android, and iOS.

Recently, Google announced plans to eventually abandon third-party cookies and move to a new method of collecting data on users in aggregate to assist in targeting ads. The company began opting in users into beta test without their knowledge.

Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.
«1

Comments

  • Reply 1 of 26
    NaiyasNaiyas Posts: 63member
    Whilst I am not one, I do know many people who do not have a mobile phone at all. Moves like this exclude a huge number of people and all tech companies and governments today are guilty of excluding a huge number of people.

    It should not be mandatory to require a mobile device for anything on the web or to interact with government.
    charlesatlasbaconstangwatto_cobra
  • Reply 2 of 26
    meterestnzmeterestnz Posts: 37member
    Beta testers opted in without their knowledge — typical Google. Says it all about this company 
    jeffharriswatto_cobra
  • Reply 3 of 26
    charlesatlascharlesatlas Posts: 273member
    I've already been locked out of several old Gmail accounts in the last couple of years. Google would demand I confirm my identity, which I did by answering my security questions (back when accounts had them), but they then demanded I enter my phone number for verification, and I know for undeniable fact that I have never linked my phone number to any Gmail account. Guess I'll lose a few more accounts now.
    williamlondonwatto_cobra
  • Reply 4 of 26
    MplsPMplsP Posts: 3,038member
    I have a google account that I sparingly use. When I do log into it, Google asks me to set up 2 factor authentication which I have steadfastly refused to do for the simple reason that I don't want Google to have my cell phone number.
    williamlondonwatto_cobra
  • Reply 5 of 26
    gatorguygatorguy Posts: 22,874member
    MplsP said:
    I have a google account that I sparingly use. When I do log into it, Google asks me to set up 2 factor authentication which I have steadfastly refused to do for the simple reason that I don't want Google to have my cell phone number.
    So "someone" is initiating logging into your Google Chrome account but you're OK with Google not verifying it's you? Kids, a friend/roommate who thinks they might have a valid password for you, or worse someone who has purchased your stolen credentials from Dark Web markets  for some account, financially, social or whatever,  to be accessed on-line.  Geesh, that makes zero sense. What do you think Google is going to do with your phone number without your express permission, prank-call you?
    edited May 6 uraharadewmejony0
  • Reply 6 of 26
    williamhwilliamh Posts: 774member
    Kudos to you folks who steadfastly refuse to secure your accounts. Attackers usually go after "low-hanging fruit." Might as well be you.  Thanks.

    For those of you who believe that it should not be mandatory to require a mobile device for anything on the web, you should be pleased to learn that Google agrees with you.  You do not need a mobile device to set up multi factor authentication.  The AI article doesn't delve into it, but the MFA/two-step options not requiring a mobile phone include phone calls (doesn't have to be mobile!), a security key like a Yubikey, or even a printable sheet of one-time passcodes.  If you do have a mobile device, you can use SMS messages (not ideal) or an authenticator app for MFA.
    uraharadewmewatto_cobra
  • Reply 7 of 26
    lkrupplkrupp Posts: 9,110member
    gatorguy said:
     What do you think Google is going to do with your phone number without your express permission, prank-call you?
    Google, being the sleaze ball company it is, will sell your phone number to the robocall industry so they can call you ten times a day.
    williamlondonzeus423marcotor949watto_cobra
  • Reply 8 of 26
    Rayz2016Rayz2016 Posts: 6,755member
    MplsP said:
    I have a google account that I sparingly use. When I do log into it, Google asks me to set up 2 factor authentication which I have steadfastly refused to do for the simple reason that I don't want Google to have my cell phone number.
    You don’t need to give them your phone number. Use an authentication app like Authy, which means you’re not locked out if you lose your phone. 

    If you use 1Password it will even fill in the one-time password for you. 


    muthuk_vanalingamwatto_cobra
  • Reply 9 of 26
    baconstangbaconstang Posts: 705member
    My Gmail account is my 'dead letter' mailbox.

    If they're going to make it more difficult to go in and delete everything, I'll just do it once a month. instead of once or twice a week.
    watto_cobra
  • Reply 10 of 26
    lkrupplkrupp Posts: 9,110member
    MplsP said:
    I have a google account that I sparingly use. When I do log into it, Google asks me to set up 2 factor authentication which I have steadfastly refused to do for the simple reason that I don't want Google to have my cell phone number.
    But you ARE okay with Apple’s 2FA requirements for iCloud and other services? It’s mandatory now you know, no longer optional. 
  • Reply 11 of 26
    rotateleftbyterotateleftbyte Posts: 1,508member
    Low hanging fruit? It depends on what you use the Gmail account for. If it is a throwaway email address for all those sites that demand one even to browse then what is the problem with not securing it? If I had a gmail account that is what I'd use it for but I basically refuse to give Google any data unless I can't avoid it. I've even stopped using two sites because they insist on using Captcha's. IMHO, 2FA is a PITA unless you are of an age where you have had your phone surgically attached to your hand. Then I had an issue with my Mothers ISP. They refused to log a fault unless my mother gave them her mobile number (for a landline fault). The problem was that she didn't have a mobile phone (she was in her late 80's). Catch-22. There has to be a better way to improve security.
    watto_cobra
  • Reply 12 of 26
    jibjib Posts: 21member
    lkrupp said:
    MplsP said:
    I have a google account that I sparingly use. When I do log into it, Google asks me to set up 2 factor authentication which I have steadfastly refused to do for the simple reason that I don't want Google to have my cell phone number.
    But you ARE okay with Apple’s 2FA requirements for iCloud and other services? It’s mandatory now you know, no longer optional. 
    Not quite mandatory yet. Although Apple strongly pushes 2FA (every time you update iOS, for example) and they won't let you undo it if you enable it, you can still refuse to enable it.  I have an Apple ID with a cloud that does not have 2FA (because I share it -- for purchases-- with my adult son who doesn't live with me.) Eventually Apple may do what google is apparently aiming to do -- force it upon people, but not quite yet.
    cgWerkswatto_cobracharlesatlas
  • Reply 13 of 26
    williamhwilliamh Posts: 774member
    jib said:
    lkrupp said:
    MplsP said:
    I have a google account that I sparingly use. When I do log into it, Google asks me to set up 2 factor authentication which I have steadfastly refused to do for the simple reason that I don't want Google to have my cell phone number.
    But you ARE okay with Apple’s 2FA requirements for iCloud and other services? It’s mandatory now you know, no longer optional. 
    Not quite mandatory yet. Although Apple strongly pushes 2FA (every time you update iOS, for example) and they won't let you undo it if you enable it, you can still refuse to enable it.  I have an Apple ID with a cloud that does not have 2FA (because I share it -- for purchases-- with my adult son who doesn't live with me.) Eventually Apple may do what google is apparently aiming to do -- force it upon people, but not quite yet.
    I'm pretty sure you can share your purchases without sharing the account by setting up family sharing.
    jeffharrisuraharawatto_cobra
  • Reply 14 of 26
    zimmiezimmie Posts: 522member
    williamh said:
    Kudos to you folks who steadfastly refuse to secure your accounts. Attackers usually go after "low-hanging fruit." Might as well be you.  Thanks.

    For those of you who believe that it should not be mandatory to require a mobile device for anything on the web, you should be pleased to learn that Google agrees with you.  You do not need a mobile device to set up multi factor authentication.  The AI article doesn't delve into it, but the MFA/two-step options not requiring a mobile phone include phone calls (doesn't have to be mobile!), a security key like a Yubikey, or even a printable sheet of one-time passcodes.  If you do have a mobile device, you can use SMS messages (not ideal) or an authenticator app for MFA.
    Rayz2016 said:
    MplsP said:
    I have a google account that I sparingly use. When I do log into it, Google asks me to set up 2 factor authentication which I have steadfastly refused to do for the simple reason that I don't want Google to have my cell phone number.
    You don’t need to give them your phone number. Use an authentication app like Authy, which means you’re not locked out if you lose your phone. 

    If you use 1Password it will even fill in the one-time password for you. 
    Google doesn't let you set up MFA in the first place without a phone number. Yes, it can be a landline, but it must be able to receive calls or text messages, as they won't enable MFA at all without acknowledgement that you received a code provided via a phone call or SMS. Can't get to the option to use a Yubikey or TOTP or whatever else until you have provided a working phone number and proof that you have access to the phone at that number.

    gatorguy said:
    MplsP said:
    I have a google account that I sparingly use. When I do log into it, Google asks me to set up 2 factor authentication which I have steadfastly refused to do for the simple reason that I don't want Google to have my cell phone number.
    So "someone" is initiating logging into your Google Chrome account but you're OK with Google not verifying it's you? Kids, a friend/roommate who thinks they might have a valid password for you, or worse someone who has purchased your stolen credentials from Dark Web markets  for some account, financially, social or whatever,  to be accessed on-line.  Geesh, that makes zero sense. What do you think Google is going to do with your phone number without your express permission, prank-call you?
    Phone numbers are an extremely reliable way to correlate multiple accounts belonging to the same person. Vanishingly few people go to the trouble of maintaining more than one cell phone, one work desk phone, and one landline (and that last one has all but died out).

    I have about 30 email addresses I use for different things (mostly vendors or services I don't want to be able to correlate my activity), and a few of them are Gmail accounts dating back to when it first dropped the invitation requirement. If I gave Google my phone number, which is required to activate MFA, they would be able to correlate all of the Gmail accounts as probably belonging to the same person. The passwords for all of my Gmail accounts are long, randomly generated, and never reused for anything else, so the only possible source of a leak is Google themselves.

    Frankly, it's the same as cross-site tracking via third-party cookies or hidden frames or invisible 1x1 gif "beacons" in emails. They don't need to know that the same person owns these different accounts.
    watto_cobra
  • Reply 15 of 26
    Naiyas said:
    Whilst I am not one, I do know many people who do not have a mobile phone at all. Moves like this exclude a huge number of people and all tech companies and governments today are guilty of excluding a huge number of people.

    It should not be mandatory to require a mobile device for anything on the web or to interact with government.
    That's the whole "appropriately configured" part. The writer of the story didn't know, but it means you need to have registered a mobile phone number with your Google account. If you haven't, you won't be required to do 2FA. 
    watto_cobra
  • Reply 16 of 26
    Vision1Vision1 Posts: 4member
    The problem I have with this is that you are “forced” to install an extra google app that collects data from you. Glad I use iCloud.  I actually also succeeded also to use bing instead of google. 
    watto_cobra
  • Reply 17 of 26
    williamhwilliamh Posts: 774member
    Vision1 said:
    The problem I have with this is that you are “forced” to install an extra google app that collects data from you. Glad I use iCloud.  I actually also succeeded also to use bing instead of google. 
    You are not forced to install a Google app but that is one of the options. I can’t imagine why you would choose Bing over Google.  A bit like choosing herpes over chlamydia.  Why not use DuckDuckGo?
    baconstangMplsPwatto_cobra
  • Reply 18 of 26
    MplsPMplsP Posts: 3,038member
    lkrupp said:
    MplsP said:
    I have a google account that I sparingly use. When I do log into it, Google asks me to set up 2 factor authentication which I have steadfastly refused to do for the simple reason that I don't want Google to have my cell phone number.
    But you ARE okay with Apple’s 2FA requirements for iCloud and other services? It’s mandatory now you know, no longer optional. 
    It’s not mandatory, but yes - I trust Apple with my data infinitely more than Google. (If you frequent these forums you should know why.)
    watto_cobra
  • Reply 19 of 26
    MplsPMplsP Posts: 3,038member

    gatorguy said:
    MplsP said:
    I have a google account that I sparingly use. When I do log into it, Google asks me to set up 2 factor authentication which I have steadfastly refused to do for the simple reason that I don't want Google to have my cell phone number.
    So "someone" is initiating logging into your Google Chrome account but you're OK with Google not verifying it's you? Kids, a friend/roommate who thinks they might have a valid password for you, or worse someone who has purchased your stolen credentials from Dark Web markets  for some account, financially, social or whatever,  to be accessed on-line.  Geesh, that makes zero sense. What do you think Google is going to do with your phone number without your express permission, prank-call you?
    The same thing they do with all the other data they collect without my express permission - collect, monetize and sell it. I have nothing important on my google account so I’m totally fine with my password as it is.

    Rayz2016 said:
    MplsP said:
    I have a google account that I sparingly use. When I do log into it, Google asks me to set up 2 factor authentication which I have steadfastly refused to do for the simple reason that I don't want Google to have my cell phone number.
    You don’t need to give them your phone number. Use an authentication app like Authy, which means you’re not locked out if you lose your phone. 

    If you use 1Password it will even fill in the one-time password for you. 
    I hadn’t heard of Authy - I’ll have to check it out.
    watto_cobra
  • Reply 20 of 26
    jdwjdw Posts: 941member
    lkrupp said:
    MplsP said:
    I have a google account that I sparingly use. When I do log into it, Google asks me to set up 2 factor authentication which I have steadfastly refused to do for the simple reason that I don't want Google to have my cell phone number.
    But you ARE okay with Apple’s 2FA requirements for iCloud and other services? It’s mandatory now you know, no longer optional. 
    WRONG!  It is NOT Mandatory!  I know because I keep it deliberately turned off.  

    2FA is the bane of human existence!  I often forget my phone at home, and I don't want the hassle.  Apple makes it hard to keep stupid 2FA turned off, but I assure you that it is possible.  Just make sure you don't have iCloud Keychain enabled, because that forces you to have it.  And watch out of the nagware popups now and then on iOS which try to trick you into enabling 2FA.  Apple is more sly than Google in that regard.  But Google are a band of idiots too for trying to force this upon us.  I agree with others who cited folks who don't have a smartphone at all.  It's encroaching on my individual liberty to demand I have that switched on.  If I want a less secure account, regardless of reason, that must be my prerogative.  To me, forcing 2FA on me is far, FAR worse than Ad tracking.  At least with Ad tracking, there are ways around it.  But if you force all accounts to have it, then choice is gone.  I've written to Tim Cook about this, but my email was ignored, no doubt.  I want to be in charge of enabling or disabling that which is considered "secure."
    edited May 7
Sign In or Register to comment.