A sign is displayed at the Google outdoor booth during exhibitor setups for CES 2020 at the Las Vegas Convention Center in Las Vegas, Nevada. Google announced that it will automatically enroll users in multifactor authentication – what they are calling two-step verification. (Photo by Mario Tama/Getty Images)

Google took an important step on Thursday by saying that “very soon” they will automatically enroll users in multifactor authentication – what they are calling two-step verification (2SV) – a move security researchers say is a step in the right direction.

Google made the announcement on World Password Day, in which Mark Risher, Google’s director of product management, identity and user security, pointed out in a blog that 66% of Americans admit to using the same password across multiple sites, which makes all those accounts vulnerable if any one fails.

“We need to get out of the ‘thoughts and prayers’ excuses after breaches and make use of the tools available today to tackle the relative low-hanging fruit of problems that should not be problems,” said Greg Ake, senior threat researcher at Huntress.

Risher said Google now asks people who have enrolled in 2SV to confirm it’s really them with a simple tap via a Google prompt on their phone whenever they sign in. Google will start automatically enrolling users in 2SV if their accounts are “appropriately configured.” Risher adds that users can check the status of their accounts in Google’s Security Checkup

“Using their mobile device to sign in gives people a safer and more secure authentication experience than passwords alone,” Risher said. “One day, we hope stolen passwords will be a thing of the past, because passwords will be a thing of the past, but until then, Google will continue to keep you and your passwords safe.” 

Google has taken an important step forward, said Setu Kulkarni, vice president strategy at WhiteHat Security, while acknowledging that it could wind up being a mild annoyance for the millions who have not chosen to do 2FA yet.

“However, for the next generation, this will become a part of life – a habit,” Kulkarni said. “This move does beg a question though: will this end up creating a ‘haves and have nots divide’” because 2SV does mean that one needs to have a mobile device.”

After countless security incidents following a shared or reused password, weak or default credentials, or any means a bad actor might take advantage of a password, it’s great to see the industry enforcing a stronger security posture by default, noted John Hammond, a senior security researcher at Huntress. 

“Organizations should implement MFA everywhere possible, and the underlying passwords behind them should be securely generated and managed,” Hammond said. “Build an authentication process on three foundations: something you know, something you have, and something you are. Just one of these building blocks alone doesn’t maximize security. MFA with a phone or fingerprint adds an element of physical security, and an extra layer of protection that security teams should have in place for their users.”

Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, said that MFA works as both a successful way of keeping threat actors from gaining access with weak passwords, as well as just a simple deterrent: the attackers will choose the path of least resistance and move on to trying credentials that don’t have MFA requirements. Carson said it’s important to make authentication easier and the experience positive wherever possible, otherwise users will find ways around the security control making them much weaker.

“Password hygiene should always be part of employee training and cyber awareness training,” Carson said. “Once someone knows how to connect to the internet they should be educated on how to use a password manager. Organizations must help employees move passwords into the background so they do not have to choose or remember passwords, using a privileged access security solutions helps organizations reduce the risk of weak passwords which is a common cause of many security incidents and data breaches.”

Mike Reinhart, senior director of product marketing at Nok Nok Labs, said his company couldn’t agree more with Google’s sentiment for a simpler and safer future — without passwords.  

“Since our inception over a decade ago, Nok Nok has envisioned, and worked toward a world without passwords,” Reinhart said. “The need to go passwordless has become an increasingly urgent matter, and top of mind as the impacts of the COVID-19 pandemic have resulted in the need to accelerate and expand remote workforces that are connected digitally.”