Google Enables '2-Step Verification' as Default

John Lister's picture

Google is switching on two-factor authentication by default for 150 million users. It's also making it mandatory for two million people who upload videos to YouTube.

The system means no longer relying on passwords as the only way to control access to account. Instead it adds a second method such as getting a security code on a particular phone.

Two-Factor versus "Two-Step" Verification

Google calls the concept two-step verification, though that doesn't really describe it properly. The more commonly used "two factor" term refers to the idea of combining different types of authentication and identification such as "something you know" (the password) and "something you have" (the phone or a USB security key).

The way two-factor authentication works is usually designed as a compromise between convenience and security. For example, a common set-up is that a password is enough to access an account from the user's home computer. An attempted log-in from a PC in another location will trigger the security code.

Tap To Confirm

Although Google strongly encourages two-factor authentication on its account, it appears it is disappointed by the proportion of people who've taken it up. That's why it's now making it the default option for some users, meaning they'll have to actively disable it if they want. (Source:

Google says it has chosen the 150 million users by looking for "Google accounts that have the proper backup mechanisms in place to make a seamless transition to 2SV." (Source:

That appears to mean people who have an Android phone on which they use their Google account. In this case the secondary check won't be a code sent by text message but rather an on-screen prompt that simply requires a tap.

YouTubers Get No Option

Two-step verification / two-factor authentication will also become mandatory for the two million YouTube users who are enrolled in the site's partner program. That means they are entitled to a proportion of revenue from ads shown before or beside their videos.

While making the security mandatory is a strong step, Google's logic appears to be that security breaches of such accounts could be particularly serious. For example, an attacker could change account settings to siphon off revenue payments, or use the account to distribute malicious videos to a large in-build audience.

What's Your Opinion?

Do you use two-factor authentication on any accounts? Is Google right to make it the default for many users? Are you happy with the balance of convenience and security on your online accounts?

Rate this article: 
Average: 4.5 (6 votes)


Dennis Faas's picture

A lot of people are going to complain about this being a major inconvenience, especially if you live in the dark ages and don't own a smartphone. The fact is, most major banks and insurance companies have been using this technology since the early 2000s with dedicated pagers that provide random numbers as part of the login procedure. This prevents accounts from being taken over and is a very good way to stop the bad guys from getting into the systems, though it's not the only option to prevent an entity from being hacked.

lgitschlag_3159's picture

I don't own a smart phone but do have a desktop and laptop so I guess that makes me a dinosaur but, who cares. I'll just have to live with it.

pdblevins_15287's picture

I have a physical disability, so I don't have/can't use a Smart Phone or any cellphone. I can't even use a touch screen because of my spastic movements. How am I supposed to log into my YouTube account if I must use a two-step verification? Google and other websites aren't considering how this will affect users with physical limitations.

Unrecognised's picture

My phone number is none of ggl's beeswax. I hate this with a vicious passion and have resisted it since it was imposed on me, locking me out of my own email accounts by way of clocking my IP address without my knowledge and denying me entry even after my supplying correct pw and correct secret question answers.

They don't give a crap about people's 'security'. They're collecting identifying data on people.

If I were a conspiracy theorist nutter I'd be starting to cite new world orders about now.


russoule's picture

this is part and parcel of the left's MANDATES to those of us who refuse to use their recommended whatever. "Take our vaccine." "No? Then we will MANDATE that you do it." "Wear a mouth diaper." "No? Then we will MANDATE it." "Use a two-step method to sign in." "No? Then we will MANDATE that you do." Wonder what would happen if everyone just told the MANDATERS to take a flying leap? I really do NOT REQUIRE Google to have an e-mail account. In fact, I do NOT REQUIRE Google for anything since all its functions are performed by other companies. Push me too far and I will just tell them to "eat dirt!".

mike's picture

I'm not sure how this is going to work. I received a text message a couple of days ago to have my phone handy the next time I log into Google. I have never given Google my smart phone number nor do I plan on doing so. Since I only check my gmail account every week or so and Google still works fine on my computer and smart phone, I'm not sure it matters. My gmail comes up on my phone just fine without me logging in, so why do I care?

Do you really believe that only people that don't have a smart phone are still in the dark ages? Some of us still have good reasons to not have a "smart" phone.