Google to turn on two-step verification by default

When someone asks me about improving their online security, I tell them to enable two-factor authentication (2FA). By introducing another security element besides your password, like a Google Authenticator code, you make it orders of magnitude harder for someone to break into your online accounts, even if they get ahold of your password.

Most major online services, such as Google, Facebook, and Twitter, already offer 2FA. Soon, however, Google is making 2FA (also called two-step verification, or 2SV) on by default.

In a blog post Thursday — timed to align with the World Password Day, May 6 (yes, that's a thing) — Google's security chief Mark Risher paints a future that's entirely password-free.

"You may not realize it, but passwords are the single biggest threat to your online security – they’re easy to steal, they’re hard to remember, and managing them is tedious," he writes. Google has developed tools, such as the Password Manager, that make handling hard-to-remember passwords easier — to the point where you never need to know your passwords by heart.

Passwords aren't entirely gone yet, though. Until that happens, Google is improving the security of accounts by turning 2FA on by default.

"Soon we’ll start automatically enrolling users in 2SV if their accounts are appropriately configured," writes Risher. You can check the status of your account in Google's Security Checkup, which will tell you whether 2FA is turned on, show you recent security activity, display signed-in devices, etc.

PCWorld has a few more details on what "appropriately configured" means. Jonathan Skelker, product manager for account security at Google, told the outlet that it means that users already have recovery information on their accounts, like a phone number or a secondary email.

Typically, I prefer opt-in features to opt-out features. But it's really easy to get your password compromised these days. For example, if you've ever used the same password on several sites, you have a problem. So I welcome Google activating this feature for users automatically.

There's also no precise timeline for when it will start activating 2FA for users, beyond Risher's "soon."

UPDATE: May 6, 2021, 4:24 p.m. CEST A Google spokesperson told me users will be able to opt out of the feature. This might be useful for one-time accounts, or for accounts which hold little or no personal data. The article has been updated to reflect this.