Google has streamlined the process of activating 2-Factor Authentication (2FA) for user accounts by now giving users the ability to activate it without the requirement of a phone number.
Previously, users had to provide their phone number before being able to activate 2FA. However, users now have the choice to skip adding a phone number when opting for the authentication method in their account settings.
This update benefits both organization administrators looking to implement 2FA policies and individual users. Relying solely on a phone number for authentication is not completely secure due to the vulnerabilities associated with SMS-based one-time passcodes (OTPs), which can be susceptible to hacking or if the device is lost or stolen.
Google Eliminates Phone Number Requirement Prior to 2-Factor Authentication Configuration
Google provides three alternatives for setting up 2-factor authentication. Users can opt to use an authenticator app such as Google Authenticator or Microsoft Authenticator. Additionally, they can explore open-source choices like Aegis Authenticator for Android, 2FAS for Android and iOS, and Ente Auth for Android and iOS.
Alternatively, users can select a hardware security key like YubiKey for added security. Google mentions that even if the key supports FIDO2, it will be registered as a FIDO1 credential. Similarly, users can produce a passkey for their Google account, registering it as a FIDO2 credential, necessitating the entry of the key’s PIN for local verification.
Recently, Microsoft has added support for Passkeys for all user accounts, and WhatsApp Messenger and Bitwarden Password Manager have also integrated Passkeys for enhanced security. The use of passkeys is gaining popularity, with Google reporting over 1 billion authentications via passkeys across 400 million accounts in a year. Users can refer to a tutorial to create a passkey for their Google account using functionalities like fingerprint reader, Face ID, or the device’s screen lock code.
Google ensures that if a user deactivates 2FA after enabling it, other enrolled secondary methods such as backup codes, Google Authenticator, or a second-factor phone will not be automatically removed from their account. This feature is designed to avoid users getting locked out of their accounts, especially during a device transition.
The enhanced 2-Factor Authentication procedure is not restricted to Google Workspace clients but is accessible to all users, including personal accounts. The migration to this new procedure is projected to finish within the next two days, empowering users to activate 2FA from their Account’s security page for elevated account security in case of a compromised password.
Image Source: Rawpixel.com / Shutterstock