Google will make you use two-step verification to login
World Password Day returns to remind us how much passwords suck
Google has marked World Password Day by declaring "passwords are the single biggest threat to your online security," and announcing plans to automatically add multi-step authentication to its users' accounts.
A mere eight years after Intel began promoting World Password Day as a way to raise awareness about the importance of strong passwords, Google is ready to wipe them from memory.
At the 2004 RSA Conference, Microsoft co-founder Bill Gates predicted passwords would become less important in the years ahead. The Windows biz has pushed to make that happen by supporting FIDO2 security keys for authentication and switching to token-based authentication to approve git operations on GitHub, among other initiatives. But the password, like email, has so far defied its death watch.
Google's product management director Mark Risher, in a blog post this week, noted that 66 per cent of Americans admit to using the same password across multiple sites, which is an ill-considered security practice. Account databases do get compromised, and any username and password so exposed can be easily fed to a bot that will try the combination out at popular websites, a technique known as credential stuffing.
And let's not forget that in 2017, a Google software engineer said less than 10 per cent of active Google accounts were using two-step authentication.
- Crane horror Reg reader uses his severed finger to unlock Samsung Galaxy phone
- HashiCorp reveals exposure of private code-signing key after Codecov compromise
- Volunteer-run pirate Manga website attacked, loses hashed passwords, has ‘nobody’ to fix the mess
- UK's National Cyber Security Centre recommends password generation idea suggested by El Reg commenter
Today, Google has taken its two-step verification program (2SV) up a notch. This process, however, still involves passwords – entering your password is the first step.
It's also the second step, though it's not called a password in this context. Rather, it's a on-off, time-limited authentication code or token sent to the user's mobile device or generated via mobile app software or hardware or via a dedicated security key. It may even be a backup code printed out long ago just in case the second-factor device is unavailable.
In any event, authenticating using something you know and something you fleetingly have is more secure than just relying on "solarwinds123" or the like.
So it is that Google plans to make this two-step verification (2SV) ritual obligatory for those who have revealed enough about themselves and their possessions to the Chocolate Factory.
"Soon we’ll start automatically enrolling users in 2SV if their accounts are appropriately configured," explains Risher. "Using their mobile device to sign in gives people a safer and more secure authentication experience than passwords alone."
Nonetheless, Google isn't done with passwords, having built its Password Manager into Chrome, Android, and more recently iOS, and welded the code to its one-click Security Checkup, which alerts users when passwords have been publicly exposed, when they've been reused across multiple sites, and when they're too short or otherwise weak.
"One day, we hope stolen passwords will be a thing of the past, because passwords will be a thing of the past, but until then Google will continue to keep you and your passwords safe," said Risher.
One day, all your base are belong to us. ®