Privacy

Google account hacks drop 50% for 150 million who got 2-factor login

With two-factor authentication, hackers can't get far even if they've stolen your password. Ultimately, Google wants to move entirely beyond passwords.

CNET editors pick the products and services we write about. When you buy through our links, we may get a commission.
Passwords are plagued with problems.
Brett Pearce/CNET

If you were among the 150 million people that Google required to use two-factor authentication last year, consider yourself lucky: The chance your account was hacked dropped by half.

In the last three months of 2021, Google automatically enrolled 150 million account holders, along with 2 million YouTube users, in what it calls two-step verification, or 2SV. The security process usually combines a password with a second login challenge, such as a confirmation message in a Google app or a hardware security key

The requirement proved worthwhile. Account compromises were half as likely on 2SV accounts than they were for password-only accounts, Google said in a blog post Tuesday.

"This decrease speaks volumes to how effective having a second form of verification can be in protecting your data and personal information," Google said. "Turn on 2SV (or we will!), as it makes all the difference in the event your password is compromised."

Google has an incentive to nudge its users toward a stronger login system. It has billions of Gmail, Google Workspace and YouTube account holders. That makes it a tempting target for hackers, who often employ social engineering tricks to wheedle information out of people. And email accounts like Gmail are particularly important to protect: Resetting other passwords often goes through email, so a compromised email account can lead to other hacks.  

Moving to two-factor authentication is a big step for a lot of people, but likely not the last one as companies try to address the ever more apparent shortcomings of password-only login. We forget passwords, pick weak ones and reuse passwords on multiple sites. The Have I Been Pwned service, which alerts you to sensitive information leaks, has amassed a list of more than 613 million passwords found in data breaches.

Multifactor authentication means hackers aren't as likely to profit from having your stolen password. It also helps enable a future where we dump passwords altogether.

Microsoft is promoting no-password authentication that uses biometric technology like Windows Hello face identification, phone-based authentication apps and security keys. Google also hopes to phase out passwords eventually.

Apple, which requires two-factor authentication when you're setting up a new device or logging onto your Apple account on the web, also is pushing the same direction. It's working on a technology called passkeys for iCloud that will enable passwordless logon that's available now for developers to test.

All the foundational work by the world's biggest tech companies is a good indication that if you're using passwords alone for logon, you should brace yourself for some changes. It also indicates that we'll see more secure alternatives to a common but imperfect form of two-factor authentication, text messages sent to your phone.

Google has been a big proponent of hardware security keys, small devices that connect wirelessly or through USB ports. Their use wiped out successful phishing attacks on Google employees. Such keys, however, introduce new challenges because they can be complex. Price is also a factor. Even cheap security keys cost at least $29.

Another major change in security is the adoption of password managers like LastPass, 1Password, Bitwarden and KeePass. Google steers people toward its own password manager, which is built into Chrome and Android and can be used on iOS, too. Apple built a password manager into its iPhone, iPad, and Mac software, too, and with a utility to use it on Windows.