C. Scott Brown / Android Authority
TL;DR
- Google’s updated 2FA setup no longer requires a phone number by default.
- Users can set up 2FA directly with an authenticator app or hardware key, skipping SMS verification.
Google has streamlined its two-factor authentication (2FA), also known as the two-step verification (2SV) process, making it easier and more secure for users to protect their accounts.
The new, improved process gives users the option to start their 2FA setup by directly choosing more secure methods like authenticator apps or physical security keys. In the past, setting up 2FA required first providing a phone number before being able to add an authenticator app.
While SMS verification codes are a step up from single-password logins, they are considered less secure than other 2FA methods due to potential vulnerabilities. With Google’s update, phone number verification isn’t a mandatory step anymore for setting up 2FA. Users can instead directly opt for a time-based code generated by an authenticator app (like Google Authenticator) or connect a physical security key.
Google offers two methods for linking security keys. Users can choose to register a FIDO1 credential on their key or set up a passkey. It’s important to note that passkey setups may still require standard password login for Workspace accounts, depending on the specific settings established by the associated organization.
Google has also adjusted how turning off 2FA works. Previously, turning 2FA off meant all associated security measures, such as backup codes, authenticator app links, and linked phone numbers, would be automatically removed. Now, these additional layers stay in place even after you turn off 2FA.
These updates are rolling out to both Google Workspace subscribers and users with personal Google accounts.