Is your Google account asking you to check your Android phone or open the Gmail app on your Apple device? Nothing is broken—Google just changed how signing in works for most users.
In May 2021, Google started turning on two-factor authentication for most users. Until then, the feature was opt-in only. This means millions of users are seeing the two-step verification prompt for the first time.
It's nothing to be afraid of, though. It's just an extra step while signing in.
When you see a prompt like this on your computer, simply pick up your Android phone or open the Gmail or Google app on your iPhone. You'll be asked if it's you trying to sign in.
Hit Yes, and that's it—your computer will sign in. It's painless, but it's also a big boost to your security.
Why did Google change how signing in works?
Most people use the same password for every service because it's easier than remembering multiple passwords or setting up a password manager. The result: if one password leaks, an attacker can use it to access all of your accounts.
This is why Google started offering two-factor authentication a decade ago, in 2011. The idea is that you set up a second form of verification, so that an attacker with your password can't sign in. Early versions of this would send you a text message, but most security experts recommend using a dedicated app like Authy.
Google's two-factor system is interesting because you don't have to install or set up a special app to use it: Android users get a system-wide notification, while iPhone users can see the message in the Gmail or Google app.
No major tech company has made two-factor authentication the default until now, which is probably why the vast majority of users don't use it. Google hopes that changes and is even dreaming of a world without passwords. From a Google blog post:
One day, we hope stolen passwords will be a thing of the past, because passwords will be a thing of the past.
This isn't as absurd as it sounds. Here at Zapier, we stopped using passwords for our internal VPN, and it works great. Steps like the one Google just took could help kill off passwords everywhere.
What if I don't have access to my phone?
What if you don't have your phone? How are you supposed to log in to your Google account? There are a few options.
Head to Google's two-step verification settings, where you can add backup ways to access your account, some of which don't require a phone. You can make a list of backup codes, which you can print out and store somewhere secure. Or you could use a YubiKey, a dedicated USB device you can plug into any computer to verify your identity. I use one of these, and it's great—you just tap a button to log in to things.
You don't need your phone to use two-factor authentication—it's just a relatively simple choice.
Note that Google Workspace accounts will not have two-factor authentication enabled by default, though admins can make this the default if they want to. Something to consider if you're making a cybersecurity plan for your business.
