Google is forcing people to use 2FA — what that means for you

A padlock resting on a mirror reflecting the Google logo.
(Image credit: Sergei Elagin/Shutterstock)

Google is starting to force some of its account holders to switch on two-factor authentication (2FA), according to a couple of Reddit complaint threads spotted by Android Police.

But don't fret. Most Android phones that work with Google Play are already set up to be the "second factor" in 2FA, and the same goes for iPhones and iPads with a specific Google app installed.

Once 2FA is set up, which Google calls two-step verification, although that's technically different, your Google account will be far better protected against hackers and others who might want to break in. 

You'll need to use the second factor after you enter your username and password only when logging in from a new device or, sometimes, a new location. An attacker who got your username and password from a data breach or a phishing attack won't be able to get into your account without the second factor.

This forced use of 2FA applies only to personal Google accounts. Google Workspace accounts will continue to use 2FA at the discretion of company IT departments.

Complaints, complaints

"Google [is] automatically enabling 2FA on my account on Nov. 9th," one Reddit user posted a few days ago. "Why does Google suddenly want to enable 2FA on my account now? ... I just don't want to deal with 2FA in any way." 

That user soon learned that Google will let you disable 2FA after it's turned on — at least for a short time. Eventually, 2FA will be mandatory for Google accounts that can handle it.

"Google notified me that it's making 2-step verification mandatory for my personal sign-in shortly," said another Reddit user. "But the turn-on process lists only one one of my devices and not my iPhone. ... I want to use 2 step verification on my iPhone."

Other Reddit users pointed out that you will probably need the Google Smart Lock app installed on iOS devices to receive Google push notifications. 

How soon will I have to start using 2FA?

At least one of these Reddit users was notified by Google via a Romanian-language email, and Android Police posted an image of a similar English-language email notification that also mentioned Nov. 9 as the switchover date. 

However, it doesn't seem like many other people are being given that start date. But many others will probably have to start using 2FA by the New Year.

Google gave us a heads-up about all this back in May, when it told it would "soon" start automatically enrolling account holders into 2FA "if their accounts are appropriately configured." 

In October, a second Google blog post  said that "by the end of 2021, we plan to auto-enroll an additional 150 million Google users in 2SV."

"Appropriately configured" means the accounts have a phone number or second email address associated with them, or a smartphone set up to receive Google push notifications. 

The different options for second factors

Google walks you through the enrollment process, giving you two second-factor options: push notifications sent to your phone or temporary codes sent to your phone via SMS text message. 

We really recommend push notifications if you can get them, as texted codes can be intercepted by stolen or forwarded phone numbers, or "phished" out of users by clever con artists.

A demonstration of Google's push-notification form of two-factor authentication.

(Image credit: Google)

Oddly, Google won't let you use authenticator apps or USB security keys as the second factor until you've already set up one of the two choices above as your primary 2FA method. While authenticator apps, such as Google Authenticator or Authy, are still vulnerable to phishing attacks, they're still more secure than codes sent via SMS. 

Meanwhile, hardware security keys are the most secure 2FA option of all, being impervious to phishing and working independently of phones. You carry them around on a key ring with your house or car keys and plug them into a computer (or tap them on a phone) when you need to use them. 

But hardware security keys cost at least $20 each and sometimes much more, so Google might have been worried that not enough people have them. 

We've got guides on how to set up Google's 2FA on your phone and how to set up Google's 2FA on your computer. No harm in setting it up before Google gives you a deadline.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.