Security

Who's using 2FA? Sweet FA. Less than 10% of Gmail users enable two-factor authentication

Your daily dose of digital depression

By Iain Thomson in San Francisco

153 SHARE

Usenix Enigma It has been nearly seven years since Google introduced two-factor authentication for Gmail accounts, but virtually no one is using it.

In a presentation at Usenix's Enigma 2018 security conference in California, Google software engineer Grzegorz Milka today revealed that, right now, less than 10 per cent of active Google accounts use two-step authentication to lock down their services. He also said only about 12 per cent of Americans have a password manager to protect their accounts, according to a 2016 Pew study.

We polled El Reg readers on Twitter just before we published this piece, asking: "What percentage, rounded to nearest integer, of Gmail users do you think use two-factor authentication?" Out of 838 followers who responded within the hour, 82 per cent correctly selected less than 10 per cent. The rest picked more than 10 per cent.

Shameful ... Milka's stats at Engima

The Register asked Milka why Google didn’t just make two-factor mandatory across all accounts, and the response was telling. “The answer is usability,” he replied. “It’s about how many people would we drive out if we force them to use additional security.”

Please, if you haven't already done so, just enable two-step authentication. This means when you or someone else tries to log into your account, they need not only your password but authorization from another device, such as your phone. So, simply stealing your password isn't enough – they need your unlocked phone, or similar, to to get in.

Google has tried to make the whole process easier to use, but it seems netizens just can’t handle it. More than 10 per cent of those trying to use the defense mechanism had problems just inputting an access code sent via SMS.

What if you don't have two-step authentication, and someone hijacks your account? Well, Google is on the look out for that, too.

Anatomy of a hack ... An account hijacker's actions

To spot criminals and other miscreants commandeering a victim's webmail inbox, the Chocolate Factory has increased its use of heuristics to detect dodgy behavior. A typical attacker has a typical routine – once they manage to get into an account, they shut down notification to the owner, ransack the inbox for immediately valuable stuff like Bitcoin wallet stuff or intimate photos, copy the contacts lists, and then install a filter to mask their action from the owner.

By looking out for and alerting folks to these shenanigans, Google hopes to make account hijackings less commonplace. But, given netizens' lack of interest in security, warnings about suspicious activity are unlikely to get people moving to protect their information. ®

Sign up to our NewsletterGet IT in your inbox daily

153 Comments

More from The Register

Don't fear 1337 exploits. Sloppy mobile, phishing defenses a much bigger corp IT security threat

AppSec EU DARPA-funded white hat emits timeless advice

Cambridge Analytica seeks data protection assistant

Jobseeker? You may have heard of it...

US tech circles wagons as India reviews data protection proposals

Ex-Cisco CEO-chaired lobby leading the charge

Google now minus Google Plus: Social mini-network faces axe in data leak bug drama

Project Zero would have been all over this – yet it remained under wraps

Alphabet in the soup for keeping quiet about Google+ data leak bug

Investors sue over failure to 'fess up in financial filings

Google Project Zero boss: Blockchain won’t solve your security woes – but partying just might

Black Hat Parisa Tabriz talks Chrome, HTTPS, and more

Campaigners call for immigration exemption in UK's Data Protection Act to be scrapped

Judicial review into law launched

Reel talk: You know what's safely offline? Tape. Data protection outfit Veeam inks deal with Quantum

Magnetic strips barrier to ransomware, burble box-flingers

Decoding the Google Titan, Titan, and Titan M – that last one is the Pixel 3's security chip

Chocolate Factory opens lid, just a little, on secure boot and crypto phone coprocessor

UK Data Protection Bill tweaked to protect security researchers

Re-identification of data will not be a crime, as long as you warn the authorities