Opinion: Require 2-Step Authentication

. 

With all of the talk these days about cyber security, email security and protecting your online accounts, I just dont understand why someone would not use 2-step authentication.

We field hordes of questions in the Gmail Product forum for people that have there accounts hacked. One of the first questions often is "Did you have 2-Step Authentication activated?" 100% of the time when we get answered, the answer is a resounding NO! 

Why not, I think to myself? There are processes in place to help get your Google account back after its been hacked, but it is not an easy process. There are a great deal of details about your account that you MUST know in order to prove ownership of that account, before Google will restore an account to you. In addition, part of the steps to getting an account restored is setting up 2-step authentication prior first. 

The best way to protect your account, besides having a strong password that you REMEMBER and do not write down, is to setup 2-step Authentication.

But what is 2-step authentication? By using 2-step to log on, you would now need industry standard security requirements of something you know and something you have. Essentially it provides for an extra level of security by requiring you to enter a code on new (or not saved) devices that you have access to only for a short period of time. So if someone has your password, but you have 2-step turned on, they wont have that second code to use - unless of course you printed the backup codes and they got a hold of that printout.  

Why would services not require this simple extra layer of security to be part of their access? What would be the downside to requiring 2-step to be activated, or better yet, just part of your account logon credentials? You don't have to have any special device like a smartphone or security key. I for one cannot see any downside, and actually only see upside to requiring 2-step on all accounts that offer it, whether it be Google, Facebook, Amazon, Twitter or whatever other service offers this level of security. 

In my opinion, at a bare minimum 2-step authentication should be opt OUT not opt in. Hopefully this will help raise awareness and maybe force companies to ask these hard questions. 

You should all take time to review and learn all you can about Google's 2-step authentication here.