Google is making it easier for users to implement two-factor authentication (2FA) for their personal or business Workspace accounts, part of the company’s larger push to adopt stronger verification methods, whether it’s multi-factor authentication (MFA) or passwordless tools like biometrics or passkeys.

The changes to what Google also calls 2-Step Verification (2SV) that were unveiled this week include the ability to add “second step methods,” such as Google Authenticator or a hardware security key, before turning on 2SV. Before, users needed to enable 2SV with a phone number before they were able to add Authenticator.

“This particularly helpful for organizations using Google Authenticator (or other equivalent time-based one-time password (TOTP) apps),” the company wrote.

For those using hardware security keys, they can either register a FIDO1 credential on the key even it it’s FIDO2-capable, or register a FIDO2 credential on the key, which will require users to use the key’s PIN for local verification, creating a passkey on the security key, the company said.

Users will continue to be asked for the password as well as their passkey if the administrator’s for remains turned off, which is Google’s default configuration.

In addition, in the past, if a user who was enrolled for 2SV turned off the capability, all the second steps they chose – such as backup codes, Google Authenticator, or a second-factor phone – would be removed automatically. Now if they turn off 2SV, those second steps are kept in place.

That said, if an administrator turns off the capability for a user from the admin console or through the admin SDK, the factors will be removed. It’s a way to ensure that when a user leaves the company, the processes for off-boarding them remain in place.

The Need for MFA

Google, Microsoft, and other IT companies are pushing for greater adoption of MFA to protect users against phishing, password spray, and other cyberattacks, particularly as bad actors continue to target login credentials like usernames and passwords as ways to compromise corporate systems. According to Microsoft, the company deflects more than 1,000 password attacks every second and more than 99.9% of accounts that are compromised don’t have MFA enabled.

Verizon’s 2023 Data Breach Investigations Report, stolen credentials and phishing were used in 65% of all data breaches in 2022.

“Multifactor authentication is one of the most basic defenses against identity attacks today, and despite relentlessly advocating multifactor authentication usage for the past six years, including it in every flavor of Microsoft Azure Active Directory (Azure AD), and innovating in mechanisms from Microsoft Authenticator to FIDO, only 28 percent of users last month had any multifactor authentication session,” Alex Weinert, vice president of identity security at the company, wrote early last year. “With such low coverage, attackers increase their attack rate to get what they want.”

The Dream of Passwordless

For companies like Google, Microsoft, and Apple, the goal is to get to the point where enterprises and individuals won’t have to use passwords for authentication, instead using biometrics – like fingerprint or face scanners – or passkeys. The vendors have partnered with groups like the FIDO Alliance and World Wide Web Consortium to develop standards that will eliminate passwords, which are notoriously easy to break and are often reused by people for multiple accounts.

It likely will take time to get to a passwordless future, though there are signs that it’s coming. Privileged access manager (PAM) vendor Delinea found in a survey of attendees at the Black Hat Conference 2023 that 54% of respondents called passwordless a “viable concept” and 79% said that passwords are either evolving or becoming obsolete. It was a small sampling – 100 attendees – but it echoed what other larger surveys have found.

Two months later, a larger survey of 1,005 IT decision-makers by FIDO and password manager firm LastPass found that 95% already use some kind of password technology at their organization and 92% have a plan in place to adopt such technologies more widely.

Google: Fast Passkey Adoption

Another proof point came earlier this month, when Google said that in less than a year after introducing passkeys for all Google accounts, they’d been used to authenticate people more than 1 billion times on more than 400 million accounts.

“Passkeys are easy to use and phishing resistant, only relying on a fingerprint, face scan or a pin making them 50% faster than passwords,” wrote Heather Adkins, vice president of security engineering at Google. “In fact, on a daily basis passkeys are already used for authentication on Google Accounts more often than legacy forms of 2SV, such as SMS one-time passwords (OTPs) and app-based OTPs (such as Authenticator apps) combined.”

In addition, Google will soon support the use of passkeys for enrolling in its Advanced Protection Program – which is aimed at those at the highest risk of targeted attacks, such as human rights workers and journalists – and noted the growing number of password manager vendors offering password management APIs for various operating systems, including Android.

Google also noted the growing adoption of passkeys by such companies as Amazon, 1Password, Docusign, and Kayak. Early adopters included eBay, Uber, PayPal, and WhatsApp.