Google to auto-enroll 150 million user accounts into 2FA

Well, this will mean a lot of business for many of us who have clients who will want to have this immediately reversed.

I don't use 2FA on my Google Accounts because, in my opinion, they do not warrant it. If I thought they did, it would be turned on already, like it is on a number of my other accounts.
 
I only have a YouTube account which last I checked was owned by Google so I hope it doesn't get hit as it will be a nuisance but it might cure me of actually using YouTube.
 
No 2FA is literally on the list of "bad practices" for a reason: https://www.cisa.gov/BadPractices

Indeed, it's a very short list:
  1. Use of unsupported (or end-of-life) software in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet.
  2. Use of known/fixed/default passwords and credentials in service of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet.
  3. The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet.
Click to expand...

Get with it people. Collective use of single factor authentication is properly classified as a national security risk for a reason.

What Google is doing is a great thing, and yes it'll make your phones ring. This is good for everyone.
 
Last edited:
Good move for them.
I've had a GMail account since it's first year out....
I use it for my backup/alternate emails. So....of course, 2FA is important for that, else...someone could get into my GMail account, and then hit up my O365 account...and start going down the road for password reset or something like that....getting from my GMail.

I have 18x accounts in my Microsoft Authenticator. Pretty much everything I have online is MFA'd.
 
Blues said:
I only have a YouTube account which last I checked was owned by Google so I hope it doesn't get hit as it will be a nuisance but it might cure me of actually using YouTube.
Click to expand...

It's really not that bad. When you log into something for the first time, you just need to give the ok from another device. After that, it doesn't do the 2FA thing again. It's less of a nuisance than having to provide a Google Auth code every time you log in. Although, I don't, personally, find it to be a nuisance at all. If a site/device has 2FA, I enable it, every time.
 
@pctechforhire I am familiar with 2FA in general and have no issues with it typically but for something like consuming free content with an account I only have to help follow select content and/or create playlist it is just a mild nuisance for the intended use.
 
Blues said:
@pctechforhire I am familiar with 2FA in general and have no issues with it typically but for something like consuming free content with an account I only have to help follow select content and/or create playlist it is just a mild nuisance for the intended use.
Click to expand...
Ah, ok. Well, that does make more sense. But it still should just be a one time thing. And if you're getting on YouTube on a device that is already trusted, nothing further is necessary. The only time I've ever had to deal with it, is if I'm logging into any Google product from a new device. After that, all products are accessible. And no 2FA even if I log out and back in.
Porthos said:
If you have a smartphone and provided Google with the number.
Click to expand...
There are very few people without a smartphone these days. But, you do make a good point. It's less of a nuisance with an Android phone, I'm sure. iPad/iPhone just needs the smart lock app installed. SMS is an option, but not an option I would ever employ, if I can help it. So, Google doesn't have my number, per se. Not directly, anyway.
 
Sky-Knight said:
No 2FA is literally on the list of "bad practices" for a reason: https://www.cisa.gov/BadPractices

Indeed, it's a very short list:


Get with it people. Collective use of single factor authentication is properly classified as a national security risk for a reason.
Click to expand...

You constantly choose to ignore the critical phrase in the very documentation you cite: Critical Infrastructure.

If you care to classify your average home user's Google account in that way, that's your choice. It is not, and never shall be mine.
 
britechguy said:
You constantly choose to ignore the critical phrase in the very documentation you cite: Critical Infrastructure.

If you care to classify your average home user's Google account in that way, that's your choice. It is not, and never shall be mine.
Click to expand...

Google, Microsoft, and Facebook accounts are increasingly being used as SSO for all sorts of online assets. As such breaching one allows for unparalleled access to online personas that are being documented via bot swarms automatically.

The first two grant access to encryption keys that can be used to decrypt portable machines of varying types, and the latter is going to be doing the same for all Windows PCs soon. Not to mention the property ownership associated with these accounts, and stored payment details.

You're flat wrong here, the industry has spoken FOR A REASON. And you sound like an anti-vaxer. Update your brain, and get moving. Personal accounts ARE critical, and have been so for some time.
 
britechguy said:
Well, this will mean a lot of business for many of us who have clients who will want to have this immediately reversed.

I don't use 2FA on my Google Accounts because, in my opinion, they do not warrant it. If I thought they did, it would be turned on already, like it is on a number of my other accounts.
Click to expand...
And if you have ANY financial information accessed via your gmail user name then not having 2fa enabled is ridiculously foolish. Your primary email account needs 2FA period. If you do password recovery via that account you need 2FA. And NO its not in the least bit inconvenient. I only get prompted for 2FA once per device. And I don’t have to enter a code. On my Microsoft 365 account I don’t even have to enter a password.
 
It is abundantly clear that I am never going to agree with the, "You absolutely, positively MUST have 2FA" camp.

I don't use my Google account to access anything but Google and a few odd sites that have zero connection to my finances or credit lines [and by that latter bit I mean my gmail address is my login ID, not that I use the "login using Google" method]. I do not, and never will, use Google or Facebook login (don't do Facebook) and my Microsoft account stays in the Microsoft ecosystem, as I've considered that insane from the outset. You have dedicated logins per venue you need to log in to, period, end of sentence, with strong passwords for each (regardless of the method you use to generate them).

I've got 2FA on banking and credit card accounts that support it (and one does not).

2FA is not essential for all things. It just isn't. And the more this sort of thing gets pushed, the more "creative" people are going to get about ways to work around it, opening up other attack surfaces that wouldn't have been there otherwise.

In the computer security field, we often say that one doesn't need Fort Knox to safeguard a broken bicycle.
~ Glenn Glazer, M.S. ’07 UCLA Security & Cryptography,
April 25, 2019, in Message on Groups.io Beta Group
 
@britechguy 2FA isn't comparable to Fort Knox, it's comparable to a dead bolt on your front door. Which most people agree, is rather required and as such we have very few homes left with just a lock on the knob.

But more to the point, the 2FA devices are shifting into a passwordless landscape. You can already do this on the MS side, where the "password" for your personal MS account is the unlock code / pattern / biometric on your phone, and the unlock is touching a matching number and clicking OK.

This authentication process is not only MUCH more secure, but also EASIER for users. Which is a very rare thing... So this process not only represents a huge security upgrade, but a massive quality of life upgrade.

SSO is the future as well, regardless of your personal habits, and end users in particular use it all the time. All the more reason to secure things by default, and stop allowing bad habits. My users love not having to remember passwords anymore, yours will too.
 
This has been a slow motion change, watching it over the last 3-4 years. Appriver just kicked in mandatory 2FA for all logins that have admin perms for accounts. One bank I use has gone to mandatory. My online broker has not yet. I'd expect it to be mandatory for any financial or healthcare related online accounts soon. The big part is users need to setup at least two options.
 
Yeah... helping everyone sort out the break the glass issues with authentication is a chore and a half.

On the MS side the password doesn't matter... until you need to enroll a new phone because your old one got flushed down the toilet / ran over by the car / eaten by the dog. Then you've long since forgotten said password because you don't use it, and do you think users are printing out those recovery codes and putting them into their fire proof safe where they belong? Heck do you think most users even HAVE a fire proof safe for important documents?

Authentication is hard... but MFA isn't, right up until it is. I can manage all this easily for my M365 users, but people that lose their personal MS accounts? Pretty much simply sucks to be them, make a new one and don't forget your recovery key this time.
 
Sky-Knight said:
That's the only real rub... you have to have a smart phone
Click to expand...
No you don't. I barely use my smartphone and I'd be SUPER p*ssed if I had to reach for it every time I signed into an account. Thankfully there are other solutions like Authy, which have a program for the PC. You can also use it on multiple devices so you're not tied to a single device if it dies. I'd never use one of those stupid smartphone apps for 2FA.
 
sapphirescales said:
No you don't. I barely use my smartphone and I'd be SUPER p*ssed if I had to reach for it every time I signed into an account. Thankfully there are other solutions like Authy, which have a program for the PC. You can also use it on multiple devices so you're not tied to a single device if it dies. I'd never use one of those stupid smartphone apps for 2FA.
Click to expand...
I too use authy but note that Google pushes its 2fa to ALL of your devices including desktop chrome and you can fall back on the generated codes in Authy should the push fail.
 
You must log in or register to reply here.

Similar threads

ThatPlace928
31 Million Users Affected by Internet Archives Data Breach
Replies
4
Views
542
ThatPlace928
ThatPlace928
Velvis
Question about 2FA
Replies
11
Views
933
YeOldeStonecat
YeOldeStonecat
Porthos
Google shares “fix” for deleted Google Drive files
Replies
1
Views
522
sapphirescales
sapphirescales
Velvis
Moving a Google Chrome Profile from Mac to PC without a Google password
Replies
5
Views
276
timeshifter
timeshifter
JoelM
Offboarding User in Google Workspace
Replies
0
Views
245
JoelM
JoelM
Back
Top