Google is going to start automatically enrolling users in two-step verification

If you use Google services, get ready for two-step verification to become the norm.

Google will soon start pushing more Gmail users and Google Account holders to enable two-step verification – the extra layer of security that can protect people when their credentials have been phished or exposed through a data breach. 

May 6 is "World Password Day" which is largely about making people less reliant on them for securing online accounts. 

Google's contribution this year is to nudge more people into enabling two-step verification, otherwise known as two-factor authentication. 

SEE: Network security policy (TechRepublic Premium)

Today, Google prompts its two billion Gmail users to enroll in two-step verification (2SV) but soon it will be automatically enrolling users. 

"Soon we'll start automatically enrolling users in 2SV if their accounts are appropriately configured. (You can check the status of your account in our Security Checkup)," Mark Risher, director of product management in Google's Identity and User Security group, notes in a blogpost. 

"You may not realize it, but passwords are the single biggest threat to your online security – they're easy to steal, they're hard to remember, and managing them is tedious," he says.  

That second factor, be it a security key or a smartphone, means that someone in possession of your username and password – in most cases – can't log into your account unless they have physical access to your device. 

Google has refined its processes over the years to make 2SV less of an obstacle, but it can still be fiddly if you change a mobile phone number. Today, after signing in with a username and password, users who have enrolled in 2SV get a code via SMS, voice call or the Google app. 

The other option is a security key like Google's Titan key. Google has also built its security keys in Android phones and last year delivered the same capability for iPhones via its Smart Lock app for iOS

"Using their mobile device to sign in gives people a safer and more secure authentication experience than passwords alone," notes Risher. 

Passwords, unfortunately, are still rife some 17 years after Microsoft co-founder Bill Gates predicted they would one day disappear. Since then the world has only seen a proliferation of new username and password combinations, but two-factor authentication is more widely adopted and supported in online consumer services and in the enterprise. 

Multi-factor authentication does work. According to Microsoft, 99.9% of the compromised accounts it tracks every month did not use multi-factor authentication. 

Microsoft has also been doing its bit in tackling outdated password policies that lead to people choose bad passwords. 

SEE: This malware has been rewritten in the Rust programming language to make it harder to spot

Two years ago, it changed a Windows 10 security baseline that until then recommended enterprise users change their password every few months. "Periodic password expiration is an ancient and obsolete mitigation of very low value," Microsoft declared at the time

Google's other key password assistant is the built-in password manager in Chrome. Apple offers the same feature in its Safari browser. 

Risher also points to an experimental feature in Chrome called "password import" recently spotted by the Verge. It lets users import passwords from a CSV file.