One of the methods Google account holders can use as a two-step verification procedure is a Google prompt — a server-fed yes/no screen sent to a device that user is already signed in on to verify a login attempt on a new device. Right now, users can add or remove devices that can receive them. But an upcoming change may take away that ability and push those prompts to every device, every time they need to perform a device login.
Users who inspect the 2-Step Verification menu under their Google account's security settings will find a note under the Google prompts section telling them that:
Note: In the coming weeks, you’ll also get Google prompts for 2-Step Verification on any eligible phone where you’re signed in. To stop getting prompts on a particular phone, sign out of that phone
In addition to individual device management, account holders can also currently toggle on the prompt for all phones they're signed in to.
9to5Google earlier reported that an email from Google stated that any signed-in phone that does not currently receive prompts will be getting them starting July 7. That means users will need to sign out of a device in order for it to not get prompted during a new login attempt.
All that said, we can infer that individual device management will be going by the wayside. That wouldn't be an ideal situation for those who manage multiple devices under their account — our Artem Russakovskii included — and have them scattered across home and work or even with a child — SIM-less phones can be just as good as a tablet. And while prompts are convenient and secure in the right hands, spreading out that exposure increases one's vulnerability.
I only have it enabled on my main phone.
I frequently have my kids use my devices, like tablets, without logging them into their own Google accounts, so now unless I disable this feature entirely they'd be able to tap Yes on 2FA sign-in prompts just to get the pop-up to go away.
— Artem Russakovskii (@ArtemR) June 9, 2020
One potential alternative for people in that boat could be letting them use their built-in Bluetooth security key on a single Android phone to verify device authentication — right now, phone-based key verification is limited to Chrome logins.
We've reached out to Google for confirmation and comment about the risks and will update this story when we hear back.