Google Claims Forcing 2FA On 150M User Accounts Led To 50 Percent Fewer Hijacks

google 2fa 50 percent fewer hijacks news
Back in May of last year, we reported on a new campaign by Google to increase user account security through a number of methods. As part of this campaign, Google announced its plans to drive people to use two-factor authentication (2FA), saying that users whose accounts are appropriately configured would begin to be automatically enrolled in 2FA.

Then, in October, Google announced its intentions to enable 2FA for 150 million Google accounts. and 2 million YouTube creators as well, by the end of 2021. We’re now in 2022, and Google’s push to enable 2FA has been a rousing success so far, according to a blog post by the company.

Google reports that it was able to successfully auto-enable 2FA for over 150 million accounts, as well implement a 2FA requirement for over 2 million YouTube creators. Google claims that these efforts have resulted in a 50% decrease in accounts being compromised among users with 2FA enabled.

Google lauds these results as a demonstration of the effectiveness of 2FA for securing people’s data and personal information. That said, the company states that it is working on further efforts to increase account security. One of these efforts has been building security key support directly into Android phones, and extending this support to Apple devices by way of the Google Smart Lock app.
google 2fa 50 percent fewer hijacks signin news
Google says that it will continue to automatically enroll users in 2FA in 2022, but the company encourages users not to wait and enable 2FA themselves. If you’re unfamiliar with 2FA, we recently highlighted Google Authenticator, which is a popular 2FA option that uses time-based one-time passwords (TOTP). There are other third party apps for TOTP, but make sure you exercise scrutiny in your choice of authenticator app so you don’t end up unwittingly installing malware on your device.

Google actually uses the term two-step verification (2SV), which is a more broad ranging term, but all of Google’s available 2SV methods qualify as 2FA. 2FA requires not only a second step in the login process, but also the possession of a specific device, key, or code. If Google simply sent users a login verification link through email, that email could be accessed on any device, so it would act as a form of 2SV, but not 2FA.

However, Google instead offers a number of methods for receiving prompts or codes on particular devices that users have per-verified or set up for that purpose. As mentioned above, Google also supports hardware security keys, in addition to backup codes that you can store somewhere safe. All of these methods require that users have a specific form of secondary authentication in their possession, so they qualify as not just 2SV, but also 2FA.