What you need to know
- Google is implementing two-factor authentication by default, and experts think more companies will follow suit.
- Implementing two-factor authentication can be challenging for smaller businesses because of cost and education.
- Two-factor is one of the best methods of protection against cyber breaches.
Google making two-factor authentication a default "speaks volumes" that sends a clear message to other companies to adopt similar privacy policies, experts say.
Google announced last week that it will automatically enroll users into two-factor authentication in a move to better protect accounts. The company will turn on the function, which will prompt any of the best Andriod phones linked to the account, and you will have to confirm that it's you trying to log in.
Sumit Bhatia, director of communications and knowledge mobilization with the Cybersecure Catalyst at Toronto's Ryerson University, said in an interview that Google's move is going to be the next step towards more companies providing better security.
Bhatia said that instead of giving people multiple options on the type of security they can use, Google is giving them the best option, and whether or not they choose to opt-out is their choice.
"If somebody doesn't want to opt-in, that's a choice they'll have to make. We are going to work in their best interest. And I think that's the point, that Google is taking a position where they're saying we're not going to work in the interest of our audiences and anything other than that is going to require an additional step on their part," he said.
"In addition to multi-factor authentication, I think what this is is that it speaks volumes to as an organization of their size taking a stance like that will actually help the industry to sort of reconfiguring how they can (tackle protecting privacy) in different ways."
Google's move to make two-factor authentication a default came shortly after it announced that all Nest customers will be required to enroll in the same password authentication process. Amazon-owned Ring also made 2FA mandatory in February 2020.
Microsoft also recently announced its own desire to get rid of passwords.
Challenges still to be seen by small business implementing 2FA
Bhatia said the steps the company has taken have been slow and steady, and as a result, users will "automatically be inducted into that framework."
Mark Risher, director of product management, identity, and user security at Google, said in an email that in the past multi-factor authentication was hard to set up, but that this is no longer the case.
"Many users are already positioned to use a second step of verification across their accounts — this auto-enrollment process is a way for us to help get them there," he said.
Risher added that Google is also working on making options more suitable for every user and are "actively working on technologies that provide a secure, equitable authentication experience and eliminate the reliance on passwords."
But Bhatia also said that adding 2FA isn't so simple for the businesses that have not invested in implementing the technology, because they would also have to educate their users on the new function.
Rebecca Herold, CEO of the Privacy Professor Consultancy and a privacy expert, agreed and added that larger enterprises will be "obligated" to follow suit. Like Bhatia, she said in an interview that the challenge will be when it comes to smaller businesses adopting the practice.
"That's where you're going to see a little bit slower adoption because they still aren't going to understand the return on investment for building and engineering two-factor authentication versus just having a password," Herold said.
"Certainly startups and smaller tech companies are going to think 'oh we've done enough, we don't want to spend more.'"
Another added challenge, Herold explained, is that these smaller businesses have to get customers to understand the importance of two-factor authentication and how to use it.
"They want to make things as intuitive to their customers as possible, so if they put in two-factor authentication, they're going to say 'oh you know now we're going to have to have a call center to answer their questions or have something online to be able to communicate with them and we're going to get complaints.'
"But to them, I point to the financial industry. The banks and online credit unions already got through this hurdle to have at least two-factor authentication. And those of us who do a lot of online banking, we're used to that, and in fact, we appreciate that."
This post was originally published on May 12 and was updated on May 13. The original article stated that Amazon's Ring made 2FA optional but Android Central has since learned that Ring has made 2FA mandatory to users and we have updated it to reflect the new information. Android Central regrets the error.