In honour of World Password Day, Google will automatically enable two-factor authentication for all Google account holders who have proper recovery information on their accounts (email or phone). That's fantastic news and a bold step for Google, and I hope Apple follows suit.
In May 2019, Google announced that there are some 1.5 billion users around the world, so this is no small feat. It's not known how many haven't turned on 2FA, but my guess is a lot, so this change will likely affect hundreds of millions of users.
Thus, Google is letting users opt-out if they don't want 2FA, which some will surely do. But many more will keep it on and gain an instant layer of protection for their personal info that they might not have added otherwise.
Google spelled out the benefits of its new 2FA policy in a statement to PCWorld:
The reality is passwords are no longer a sufficient form of authentication – they are painful for people and easy for hackers to access. It used to be that multifactor authentication was considered tedious and challenging to set up– that is no longer the case. Many users are already positioned to use a second step of verification across their accounts – this auto-enrollment process is a way for us to help get them there. Users can opt-out of this change and keep their account security settings the same.
Apple was one of the first companies to offer two-step and then two-factor authentication to secure their Apple ID accounts, which is your key to the Apple ecosystem. It's been a strong proponent of the protection layer, requiring it for several services, including the new AirTag tracker, and has mandated it for all accounts created since iOS 13.4, iPadOS 13.4, and macOS 10.15.4.
However, there are hundreds of millions of accounts created before March 2020 that aren't protected by 2FA, and Apple should turn those on too.
Of course, there will be pushback, but once the din dies down, users would be the better for it. The resistance to 2FA—namely the fear that you'll be locked out of your account—would be outweighed by extra security people get.
The bottom line is you're no more likely to get locked out of your account with 2FA on than without it, especially with Apple's system, which uses trusted Apple devices first, and less-secure SMS only as a back-up.
And while we're at it, Apple should also offer an app similar to Google Authenticator that provides standards-based one-time-use codes for third-party services without needing to send text messages. This app could offer password management of your iCloud Keychain too, instead of making you dive into Settings to do so.
An Apple Authenticator app would help make one-time-password use more common instead of the less secure SMS-based codes, and ensure there are as few holes as possible in your iPhone's security.
But for now, I'll be happy with just turning on 2FA for the millions of users who haven't yet turned it on. If Google can do it, Apple can too.