Google’s Mandatory 2FA Shows the Power of Default Settings

Google is about to make the internet a more secure place—by default.

Two-factor authentication (2FA) adds a huge layer of safety to your logins, but only if it’s switched on. By the end of 2021, Google plans to switch over 150 million Google users, and force 2 million YouTubers to enable the setting. 2FA has been available through Google for years, but in 2018, only 10% of accounts were using it. People just don’t seem to bother with anything that isn’t on by default. Google’s rival, Apple, knows this, which is why it has been aggressive in opting users into new security and privacy features automatically. 

"As Google found when they enforced two-factor auth for their own employees and high-value targets, account compromises via phishing effectively evaporate when two- factor authentication is enabled," Bobby DeSimone, the founder and CEO of Pomerium, a security service that also enforces two-factor authentication, told Lifewire via email. 

"Google’s enabling two-factor authentication by default is a laudable step forward in spreading that success to Gmail users at large. In particular, the default encourages the use of even stronger two-factor methods like device keys."

What Is 2FA?

Two-factor authentication (2FA), aka two-step verification (2SV) or One Time Passwords (OTP), is an additional authentication method when you sign in to an account. You’ve almost certainly used it already. After providing your password, the site asks for a temporary code that comes via SMS, or is generated in an app like Google’s Authenticator, 1Password, Authy, and more. This code is good for one use only, and expires after a short period.

The problem is, it’s usually provided as an optional extra, which means most people don’t bother to switch it on. After all, if you’re happy using your dog’s birthday as the password for all your accounts, then why would you care about this?

By forcing 2FA onto its users, Google is seriously upgrading their security. And it won’t even be too much of a chore to use. Google’s implementation requires just one additional tap to use—no copying and pasting of numerical codes needed.

"2SV has been core to Google’s own security practices and today we make it seamless for our users with a Google prompt, which requires a simple tap on your mobile device to prove it’s really you trying to sign in," wrote Google’s AbdelKarim Mardini and Guemmy Kim in a blog post. 

The Power of Defaults

We rarely bother to change the default settings. Even so-called power-users leave a lot of settings alone. If a photo-editing app exports JPGs, then we use JPGs. After all, whoever made the app probably knows more about that than us, right?

How about when Wi-Fi routers came open, without a password? You could enable a password, but who bothered? 

"The vast majority of security issues come not from systems, or technology, but behavior. And we know from Nobel-prize winning economics research how powerful defaults are in "nudging" people’s behavior," says DeSimone. "We are happy to see companies like Google and Apple 'nudge' their customers to use stronger methods of authentication."

Recently, Apple has added all kinds of privacy features in iOS 14 and iOS 15, and many of these came switched on by default. App Tracking Transparency, for example, enables iPhone and iPad users to block apps from tracking them on the internet. While these apps are not blocked by default, the blocking framework is enabled, meaning every time an app wants to track you, it has to ask. And of course, most users will refuse. 

Another illustration of the power of defaults is Google Search. Almost nobody changes the search engine in their browser, although it has been easy to do for a while. This default is so valuable that Google pays Apple an estimated $15 billion a year, just to remain the default search in Safari. 

If that doesn’t show how powerful defaults are, I don’t know what does.