In a Workspace update blog post, Google writes “We’re simplifying how users turn on 2-Step Verification (2SV), which will streamline the process, and make it easier for admins to enforce 2SV policies in their organizations.”
What does this mean for users?
With the new update, OTP-based verification does not remain a mandatory step for setting up 2FA.This means that users can either choose a time-based code generated by an authenticator application or they can connect a physical security key.
As per the blog update, users with hardware security keys will have two options to add them to their account on the “Passkeys and security keys” page.
They can either choose the ‘security key’ method to register a FIDO1 credential on the security key. Alternatively, they can create a passkey and follow instructions to ‘use another device’. This registers a FIDO2 credential on the security key, and will require users to use the key’s PIN for local verification.
Google says that users will continue to be asked for their password along with their passkey if the admin policy for “Allow users to skip passwords at sign-in by using passkeys” remains turned OFF. However if a user turns off the two-step verification from their account settings, their enrolled second steps such as backup codes, Google Authenticator, or second factor phone will not be automatically removed from their account.