The hidden power of Google’s new security features

Google introduced final week that it plans to routinely enroll customers in two-factor authentication to enhance account security. This transformation to Google’s default security settings, each monumental and lengthy overdue, is a recognition of what many in cybersecurity have recognized for years.

“You might not understand it, however passwords are the only largest menace to your on-line security—they’re straightforward to steal, they’re exhausting to recollect, and managing them is tedious,” wrote Mark Risher, Director of Product Administration, Id and Person Security, in a blog post saying the upcoming change.

Maybe the largest benefactors of this transfer are American companies, that are dropping greater than $1 billion a yr as a result of of the security defaults on their software program.


Software program firms get to resolve which security measures are turned on and, extra importantly, that are left off. These grow to be the “defaults,” predetermined settings that take impact until we modify them. Security measures create friction, like coming into a code from our telephones each time we log in to an account. They’re an inconvenience we’ve got come to simply accept, both as a result of they hold our companies secure or—as is now the case with Google—as a result of we’ve got no selection. And the stronger the security measure, the larger the friction.

As customers, we’re averse to the friction created by security measures as a result of it diminishes our product expertise. So, to make sure we’ve got a constructive expertise, software program firms usually consciously select to reduce the default security measures—despite the fact that they realize it makes us extra susceptible to cyber assault and catastrophic monetary loss.

Defaults are inherently highly effective as a result of they require motion to vary. We usually deviate from a default provided that the profit clearly outweighs the inconvenience. The power of defaults has been studied extensively over the previous twenty years, with examples starting from organ donations to 401(k) contributions to healthy food options. It’s clear in every case that we, when introduced with a selection, choose the trail of least friction.

[Animation: Google]

With such power, defaults additionally carry an excellent deal of accountability. We assume the security defaults are in our greatest curiosity, particularly when they’re advisable by distinguished software program firms with sturdy reputations. We anticipate a sure degree of scrutiny and easily can not fathom the concept that a software program firm would deliberately arrange their product in a approach that places us in jeopardy. However they do.

One of the clearest examples of this downside is cyber assaults that contain electronic mail forwarding guidelines. Cyber criminals usually use the e-mail forwarding guidelines inside an electronic mail service to auto-forward incoming emails to an exterior handle they management. The tactic has caught the attention of the FBI as a consequence of its rising prevalence. At-Bay estimates American companies misplaced $220 million in cyber incidents associated to electronic mail forwarding in 2020, primarily based on evaluation from our portfolio loss knowledge. This sort of assault shouldn’t be particularly refined and might simply be prevented by reconfiguring a default mail-flow rule.

In reality, as Google has proven us, electronic mail purchasers have already got built-in security controls towards most varieties of cyber assaults: a two-factor authentication management towards account takeover and credential abuse identical to Google; an attachment filtering management towards malware hiding in paperwork, shows, or spreadsheets; a hyperlink filtering management towards hyperlinks to malicious web sites that infect your browser; and even an “unimaginable journey” management that stops customers logging in from a distant location from the earlier login (if touring there that quick was unimaginable). Traditionally, all these controls have been turned off by default, although there’s hope change is on the best way.

Software program firms usually are not deliberately turning security controls off for cyber criminals to take advantage of. They’re prioritizing person expertise over security measures—making selections of their greatest curiosity, not ours—and it’s simpler to promote a product with minimal friction. Nevertheless, we’re hardly ever made conscious of these trade-offs as a result of software program firms don’t have any obligation to reveal them. And after we inevitably expertise a cyber assault, software program firms usually are not liable. The onus is on us to actively override the very defaults that make us susceptible within the first place.


The blind belief we put into software program firms has put American companies in danger for years. (Google’s announcement about two-factor authentication is a step in the fitting course, however it isn’t the one firm that must rethink its security practices.) And never solely is there no accountability, however there’s additionally hardly any regulation in sight.

Software program firms should cease the systematic transference of product threat and begin enabling sturdy security measures by default, even when it provides friction. Google has recognized the fitting path ahead. They’ve efficiently talked the discuss and now should stroll the stroll. We should, as customers, demand extra transparency from software program firms and maintain them to greater requirements. Till that point comes, it’s our job to stay diligent and problem each assumption we make about software program settings and security defaults. The well being of our companies depend upon it.

Rotem Iram is founder & CEO of the cybersecurity insurance coverage startup At-Bay.