Google has simplified the process of setting up 2-Step Verification (2SV) for user accounts by now allowing users to enable it without the need to provide a phone number.
Previously, users had to input their phone number before being able to set up 2SV. However, now users have the option to skip adding a phone number when enrolling in the verification method through their account settings.
This update is beneficial for both organization admins seeking to enforce 2SV policies and individual users. Dependence solely on a phone number for verification is not entirely secure due to the vulnerabilities of SMS-based one-time passcodes (OTPs), which can be prone to hacking or if the device gets lost or stolen.
Google Removes Phone Number Requirement Before 2-Step Verification Setup
Google offers three alternatives for setting up 2-step verification. Users can select to use an authenticator app like Google Authenticator or Microsoft Authenticator. Moreover, they can consider open-source options like Aegis Authenticator for Android, 2FAS for Android and iOS, and Ente Auth for Android and iOS.
Alternatively, users can choose a hardware security key like YubiKey for additional security. Google notes that even if the key is FIDO2 capable, it will be registered as a FIDO1 credential. Similarly, users can generate a passkey for their Google account, registering it as a FIDO2 credential, requiring the entry of the key’s PIN for local verification.
Recently, Microsoft has introduced support for Passkeys for all user accounts, and WhatsApp Messenger and Bitwarden Password Manager have also integrated Passkeys for improved security. The use of passkeys is increasing in popularity, with Google recording over 1 billion authentications via passkeys across 400 million accounts within a year. Users can follow a guide to create a passkey for their Google account using features like fingerprint reader, Face ID, or the device’s screen lock code.
Google assures that if a user disables 2SV after enabling it, other enrolled secondary steps like backup codes, Google Authenticator, or a second-factor phone will not be automatically removed from their account. This feature is designed to prevent users from being locked out of their accounts, particularly during a device switch.
The enhanced 2-Step Verification process is not limited to Google Workspace customers but is available for all users, including personal accounts. The transition to this new process is expected to be completed within the next two days, enabling users to activate 2SV from their Account’s security page for heightened account protection in the event of a compromised password.
Image Source: Rawpixel.com / Shutterstock