Google's 5-year security plan aims for a "painful" sign-in that only happens once per device
The document makes it sound like Google wants to make two-step authentication the rule rather than the exception. Eric Sachs, group product manager for identity at Google, gives a the essence of Google's security plan:
Sachs went on to say that at the start of Google's last 5-year plan (2008), the company didn't predict the level of smartphone adoption that we've seen. Of course, at that time, the iPhone was still relatively new, and the G1 wouldn't be out until later in 2008. Sachs says that the new 5-year plan sees using mobile hardware and apps as a point of friction for logging in makes much more sense.
Sachs says that the device makes sense as the focal point. He mentioned that Google is working on a "God-level OAuth token" that would live at the system level of your smartphone and control access within apps and the browser. He also said that Google is looking into options like biometrics and NFC as a way to identify yourself and have one device authorize another. Ultimately, Google "would prefer for a user to authorize a new device by having an existing device talk to it via a cryptographic protocol that cannot be phished."
There's no word on when the changes will start, but as we've seen in the last 5 years, quite a lot can change in that span of time.