This blog was written by an independent guest blogger.
Many Gmail users were recently greeted with a message that alerted them that 2-step verification will be required to log into their accounts starting on November 9th (today).
While many in the security community have been advising people to turn on 2-factor, 2-step, or any other secondary security method on every account as a way to protect the login process, the Twitterverse showed that many people were unhappy with Google’s implementation of this mandatory change.
Other commenters were not so restrained in their dislike of the new policy:
Other complaints included that 2-FA is not friendly to the elderly who have flip-phones, what happens when the phone battery dies, and the general objection to the inconvenience of having to use a second method to complete the login process.
While all of these are legitimate sentiments, the folks at Google have built in fallback methods to answer all of these concerns. For the ageist commenter who thinks that older Gmail users only own flip phones, one of the methods to log in with a flip-phone is to receive a voice call on the phone to complete the login process.
In the case of a dead battery, or a lost or stolen phone, Google offers recovery codes that can be printed and stored in a safe place for that type of emergency. This is a common practice with most multi-factor providers, so it should be fairly familiar if a person has been using any form of 2FA for any other accounts.
It is true that using multi-factor is somewhat inconvenient, but that is part of why it is so valuable for protecting an account. Many people still use poor passwords, and security questions are simply not good enough, as most people choose answers that are easily discovered through a simple social media search.
One final method that Gmail allows to complete the login process is the use of a “security key”. As described on the 2-step verification page:
A security key is a verification method that allows you to securely sign in. These can be built in to your phone, use Bluetooth, or plug directly into your computer’s USB port.
One can only wonder what the motivation is for Google to make 2-FA mandatory? While the optimist in me believes that it is to protect the accounts of the millions of Gmail users, the pessimists on Twitter see it a bit differently:
Unfortunately, I doubt that all the complaining in the world will force Google to reconsider this decision. Some people may think that they can post a statement saying that they do not give Google permission to enable 2FA, but this is fairly pointless, as it assumes personal ownership of something that has been freely provided, with some very specific terms, as expressed in the Gmail user agreement.
One glimmer of hope from all of the comments is that it is apparent that everyone knows exactly what 2FA is. Just a few years ago, defining multi-factor authentication took up a majority of time when introducing the concept to a new audience. As security professionals, we no longer need to explain that part. What we need to do now is to demonstrate how a minor inconvenience can go a very long way to making us all more secure. Let’s set our sails in that direction.