Google Simplifies Two-Step Verification for Workspace and Personal Accounts

Google has announced a streamlining of the two-step verification process for Google Workspace and personal Google accounts, making it easier for users and IT administrators to enhance their account security. Previously, users were required to bind their phone number for SMS verification before they could enable two-step verification with additional authenticators like the Google Authenticator or hardware security keys compatible with FIDO standards.

This requirement was initially put in place to ensure that users could still access their accounts if they lost their authenticator device. However, with the passage of time, Google has recognized that traditional SMS verification codes are no longer a reliable form of authentication.

Now, Workspace users can directly add authenticators without first binding their phone number. This includes software-based authenticators like the Google Authenticator and other compatible time-based one-time password (TOTP) authenticators. Users also have the option to add hardware security keys that are compatible with FIDO1 or FIDO2 protocols, as well as soft keys offered by certain password managers as an alternative to hardware keys, essentially functioning as Passkeys.

For accounts that already have a phone number bound for verification, adding additional two-step verification methods will not automatically remove the phone number. However, users can choose to delete their phone number from their account settings if they prefer to rely solely on more secure authenticators or hardware security keys.

This feature is being rolled out to all users starting May 6, 2024, and IT administrators can configure various policies in the admin console to enhance overall security for their organization.