Google Announces It Will Begin Using 2SV Automatically

Google 2sv Featured

We’ve heard often that two-factor authentication is the way to go, that the extra step will help keep your accounts safer. Google agrees with this so much that it plans to automatically use what it calls 2SV (two-step verification) on all accounts. For all intents and purposes, 2SV is just another way to refer to 2FA (two-factor authentication). The two terms are often interchangeable.

Google’s Plan for Using 2SV Automatically

Google laid out in a blog post the problems with signing in with just a password: “They’re easy to steal, they’re hard to remember, and managing them is tedious.” It adds that a long password isn’t always safer, as they tend to make people use them for more than one account, as they don’t want to remember multiple long passwords.

Noting that “keeping you safe online is our top priority,” Google gave a preview of its new 2SV policy. Currently, Google account holders are asked to enroll in 2SV, but they will be enrolled automatically in the future.

Google 2sv Account

The blog post explains Google’s 2SV process that involves using a mobile device as the second step in the verification process. Users verify their identity by tapping a Google prompt when they sign in. “Using their mobile device to sign in gives people a safer and more secure authentication experience than passwords alone.”

Google is “building advanced security technologies into devices to make this multi-factor authentication seamless and even more secure than a password. For example, we’ve built our security keys directly into Android devices and launched our Google Smart Lock app for iOS, so now people can use their phones as their secondary form of authentication.”

Password Manager and Password Import

Automatically adding 2SV to all accounts will add to the other ways Google already keeps the login process safe. This includes Password Manager and Password Import.

Password Manager is built into Chrome, Android, and even iOS. It makes it easier to create and use unique, complex passwords and not have to remember them. It will automatically fill in your password when you sign in and also utilizes Google Security Checkup to let you know if your passwords have been compromised, if you are reusing a password, and the strength of your password.

Google 2sv.gmail

Password Import allows users to upload passwords, up to 1,000 at a time, from third-party sites into Password Manager.

Of course, you may be happy with your current password manager and current process of 2SV. Stick with it. Just know Google is providing another option.

Frankly, Google needs a bit of P.R. to ensure the safety of using its services. Perhaps adding these services, whether automatic or not, will help the public see the company a bit differently while keeping accounts safe in the process.

“One day, we hope stolen passwords will be a thing of the past because passwords will be a thing of the past, but until then, Google will continue to keep you and your passwords safe.”

Read on to learn how using 2FA tied to recycled phone numbers can also be a security risk.

Laura Tucker Laura Tucker

Laura has spent nearly 20 years writing news, reviews, and op-eds, with more than 10 of those years as an editor as well. She has exclusively used Apple products for the past three decades. In addition to writing and editing at MTE, she also runs the site's sponsored review program.

7 comments

    1. JimBob and John C.:

      Some places – and I think Google is one – can have 2FA set up to deliver the code to an e-mail address. The potential problem is that these codes – whether sent via e-mail or SMS – have a limited life span. So, if there’s a delay in the e-mail getting to you, you could find that the code is no longer valid. Some places will allow a new code to be sent at the click of a button; others will require you to start the login process all over again.

      It should be noted that a smartphone isn’t needed to get SMS messages. The older, much cheaper, pre-smartphone cellphones can receive SMS messages just fine for use with 2FA.

  1. As JimBob says, what if a person doesn’t have a cell phone? And even if I did, why in the WORLD would I give my phone number to Google? What’s next? Mandatory faceID and fingerprinting? Believing that this is a good thing is naivety in the extreme. Google is just spin-doctoring in order to cover up their real agendas, as usual.

  2. Yet another reason to find another portal. Sure will be glad when congress gets rid of 230 and these folks are made more responsible for their actions. You tube has become a real joke. Google has always been one.

    1. “Sure will be glad when congress gets rid of 230 and these folks are made more responsible for their actions.”

      They already *are* responsible for *their* actions…S230 just makes it so they aren’t responsible for *your* actions as well. If you post something libelous about someone on Twitter, S230 ensures they can only sue *you*; they can’t sue Twitter as well. Without S230, they *could* sue Twitter as well, saying that Twitter should have removed the post. And that’s ridiculous…platforms like Twitter and Facebook get hundreds (thousands??) of posts per minute; it just isn’t feasible for them to moderate each and every one of them.

      And that’s what S230 does…it makes it so they don’t have to; the *user* is responsible for what he/she posts, not the platform. If S230 were gotten rid of, all social media sites would (probably) shut down overnight. So (probably) would blogs that allow posting comments, like this one. So (probably) would user/community forums. Why? Because they couldn’t possibly afford the lawsuits that could potentially arise over user posts.

      “You tube has become a real joke. Google has always been one.”

      YouTube = Google. For many years now.

  3. “Google Announces It Will Begin Using 2SV Automatically”

    When I saw this headline in my RSS reader, the first thought I had was “what the heck is 2SV??????” But after reading the first paragraph, I realized that it’s just Google trying to rename a security process that is in wide use by the rest of the industry. Figures that Google would refuse to use the same name that everyone else does :-(

    A timely article, Laura…I just today got an e-mail from Google wanting me to “strengthen the *security*” (emphasis mine) of my account by verifying the *recovery* e-mail for the account. How verifying the e-mail used when I forget my password (not ever likely thanks to 1 Password) helps strengthen the *security* of my account is beyond me…but we are talking Google here. However, when I logged in to my account, they actually wanted me to verify the recovery *phone number*, not the e-mail…and worse, if the e-mail was wrong, I couldn’t even change it…which was allegedly the entire purpose of what I was doing.

    Google can be so annoying most of the time.

  4. ‘Google laid out in a blog post the problems with signing in with just a password: “They’re easy to steal, they’re hard to remember, and managing them is tedious.”’

    Well, I agree that they’re fairly easy to steal if you’re a hacker, but as to the other two, password managers eliminate those problems. And since password managers range from free to expensive, there’s really no excuse for not using one. Even using the one built into your web browser is better than using short, easy-to-remember passwords.

    “It adds that a long password isn’t always safer, as they tend to make people use them for more than one account, as they don’t want to remember multiple long passwords.”

    That doesn’t make the *passwords* less safe, it makes the *accounts* less safe…and password managers take care of that problem as well. Longer passwords are *always* safer than short ones.

    “Noting that “keeping you safe online is our top priority”

    Yeah, right. It’s their top priority…right after harvesting and selling your data. Come on, Google…you don’t really think you’re still fooling us, do you?

    “Users verify their identity by tapping a Google prompt when they sign in”

    Actually, that particular blog post has it wrong. If you follow one of the links in the post, you find that 2SV works the same way that 2FA works…which makes sense, since 2SV is just Google’s name for 2FA. There is no prompt to tap…after entering the password, a multi-digit code is sent to your phone (or e-mail if you have it set up that way), you enter that code into the box and away you go.

    “Password Manager is built into Chrome, Android, and even iOS”

    Hummm…I doubt it’s built into iOS. Given that Apple is far more concerned about their user’s security and privacy than Google is, I suspect that Apple wrote the password manager built into iOS, rather than make use of Google’s.

    “Frankly, Google needs a bit of P.R. to ensure the safety of using its services. Perhaps adding these services, whether automatic or not, will help the public see the company a bit differently”

    Google’s PR problems have nothing to do with the safety of using its services, and bolstering the security of those services isn’t going to change the way people see the company. That’ll only happen when Google stops its scummy habit of tracking everybody and harvesting their data…which is unlikely to ever happen.

    “One day, we hope stolen passwords will be a thing of the past because passwords will be a thing of the past”

    That day *could* be right away…all that needs to be done is convince web sites that require logins to use SSH keys instead of passwords. Since SSH keys can’t be compromised without physical access to computers, all the problems of passwords just vanish!

Leave a Comment

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.