WatchGuard Blog

Google to introduce mandatory MFA - what will the future of passwords look like?

Mark Risher, director of product management, identity and user security at Google, wants to make using passwords a thing of the past and replace them with more reliable measures such as multi-factor authentication. What’s the reason for this decision and how can MSPs leverage the benefits of MFA in organizations?

World Password Day, celebrated last May 6, was chosen to make the announcement  that Google was going to move towards working without passwords, which caused a stir among users and the cybersecurity community. Risher justified this decision as follows:

“You may not realize it, but passwords are the single biggest threat to your online security – they’re easy to steal, they’re hard to remember, and managing them is tedious. Many people believe that a password should be as long and complicated as possible – but in many cases, this can actually increase the security risk. Complicated passwords tempt users into using them for more than one account. In fact, 66% of Americans admit to using the same password across multiple sites, which makes all those accounts vulnerable if any one falls.”

2SV and other measures

Risher provided revealing data to support the announcement: in 2020, searches on Google for “How strong is my password?” increased by 300%. He states that’s why the company invests in simpler password management with the aim of doing without passwords in the future. But how will users be able to verify their identity in a secure way?

The measure the company is promoting at the moment is multi-factor authentication (MFA) and, in particular, 2-step authentication (2SV), as Risher asserts that it significantly reduces the risk of accounts being comprised in comparison to simply being based on an access password.

For the time being, 2SV will be mandatory for users who have already started the process to implement it, although Risher strongly recommends everyone use this measure to protect their accounts. In the meantime, the company is also introducing other complementary security measures, such as security keys, which are already a direct functionality on Android devices, or the Google Smart Lock for iOS users.

Reliability and ease of management

When it comes to cybersecurity, we must always assume that no measure or system can guarantee 100% protection. That also includes MFA, as we addressed earlier in the blog in our post Are all MFA systems secure? However, Mark Risher is right that well-designed MFA reduces considerably the chances of success for cyberattackers.

That's what Watchguard's AuthPoint multi-factor authentication also achieves. Thanks to the tools it offers, MSPs can adequately protect organizations' identities and accounts. Applying methods such as push authentication, QR code-based authentication, all employees can gain access with ease through a convenient mobile application. No tedious password access is required and once authorized, they only have to follow one quick step to authenticate their identity. In addition, administrators can rest easy knowing that the cell phones used are authorized devices: "Mobile DNA" technology verifies whether access is from an authorized device, thus blocking any attempt to infiltrate the systems using a cloned SIM on other devices.

Moreover, if the organization elects not to rely on mobile access, Watchguard AuthPoint also offers the option of Hardware Tokens. These small, sealed electronic devices automatically generate passwords, but they are one-time passwords (OTP) and last only 30 seconds. Finally, whichever method they choose, the workload for administrators will be reduced. All permissions and authentications are very easy to manage through the AuthPoint portal in the Watchguard Cloud.

Ultimately, we don't know if the future without passwords that Risher envisages will arrive soon; but in the meantime, we are convinced that organizations should rely on practices that have proven to make things more difficult for cyberattackers and that means multi-factor authentication.