The changes were announced and detailed today in a post on the Google Workspace blog. The update is designed to make the process of adding 2FA more intuitive and flexible, allowing admins to implement 2FA requirements easily.
How the 2FA setup process is changing
Previously, to activate 2FA, users first needed to register a phone number as their second authentication step. Now, users can directly add authenticator apps (like Google Authenticator) or physical security keys without the need to initially enable phone-based verification.Google has also introduced more options for how to use security keys. Users now have the choice of registering their keys as either FIDO1 or FIDO2 credentials, making it easier to take advantage of the capabilities of modern security keys.
However, keep in mind that even with these changes, users may still need to use both a password and their second factor authentication when logging in. For Workspace accounts, this depends on the administrator’s choice for the “Allow users to skip passwords…” policy setting, which may not be the same as the users’ preference.
Workspace Admins should also know that if a user manually turns off 2FA, their second-factor methods like security keys and backup codes won’t be deleted automatically. This ensures that off-boarding procedures remain streamlined. That means that if an administrator disables 2FA for a user, the second-factor methods are removed for security.
These changes are rolling out starting today for both Workspace users and personal Google accounts. The full rollout is expected to be completed in the next few (1 to 3) days. Note that if you have yet to implement two-factor authentication for your account, and are interested in adding extra security, you can always visit Google’s Help Center where you’ll be able to find a step-by-step guide on setting that up.