Security

Who's using 2FA? Sweet FA. Less than 10% of Gmail users enable two-factor authentication

Your daily dose of digital depression

By Iain Thomson in San Francisco

153 SHARE

Usenix Enigma It has been nearly seven years since Google introduced two-factor authentication for Gmail accounts, but virtually no one is using it.

In a presentation at Usenix's Enigma 2018 security conference in California, Google software engineer Grzegorz Milka today revealed that, right now, less than 10 per cent of active Google accounts use two-step authentication to lock down their services. He also said only about 12 per cent of Americans have a password manager to protect their accounts, according to a 2016 Pew study.

We polled El Reg readers on Twitter just before we published this piece, asking: "What percentage, rounded to nearest integer, of Gmail users do you think use two-factor authentication?" Out of 838 followers who responded within the hour, 82 per cent correctly selected less than 10 per cent. The rest picked more than 10 per cent.

Shameful ... Milka's stats at Engima

The Register asked Milka why Google didn’t just make two-factor mandatory across all accounts, and the response was telling. “The answer is usability,” he replied. “It’s about how many people would we drive out if we force them to use additional security.”

Please, if you haven't already done so, just enable two-step authentication. This means when you or someone else tries to log into your account, they need not only your password but authorization from another device, such as your phone. So, simply stealing your password isn't enough – they need your unlocked phone, or similar, to to get in.

Google has tried to make the whole process easier to use, but it seems netizens just can’t handle it. More than 10 per cent of those trying to use the defense mechanism had problems just inputting an access code sent via SMS.

What if you don't have two-step authentication, and someone hijacks your account? Well, Google is on the look out for that, too.

Anatomy of a hack ... An account hijacker's actions

To spot criminals and other miscreants commandeering a victim's webmail inbox, the Chocolate Factory has increased its use of heuristics to detect dodgy behavior. A typical attacker has a typical routine – once they manage to get into an account, they shut down notification to the owner, ransack the inbox for immediately valuable stuff like Bitcoin wallet stuff or intimate photos, copy the contacts lists, and then install a filter to mask their action from the owner.

By looking out for and alerting folks to these shenanigans, Google hopes to make account hijackings less commonplace. But, given netizens' lack of interest in security, warnings about suspicious activity are unlikely to get people moving to protect their information. ®

Sign up to our NewsletterGet IT in your inbox daily

153 Comments

More from The Register

Little FYI: Wi-Fi calling services on AT&T, T-Mobile US, Verizon are insecure, say boffins

Subscribers using wireless calls wide open to attack

Don't fear 1337 exploits. Sloppy mobile, phishing defenses a much bigger corp IT security threat

AppSec EU DARPA-funded white hat emits timeless advice

Er, we have 670 staff to feed now: UK's ICO fines 100 firms that failed to pay data protection fee

Enforcing GDPR is expensive work, says watchdog

Cambridge Analytica seeks data protection assistant

Jobseeker? You may have heard of it...

US tech circles wagons as India reviews data protection proposals

Ex-Cisco CEO-chaired lobby leading the charge

Google now minus Google Plus: Social mini-network faces axe in data leak bug drama

Project Zero would have been all over this – yet it remained under wraps

Alphabet in the soup for keeping quiet about Google+ data leak bug

Investors sue over failure to 'fess up in financial filings

Google Project Zero boss: Blockchain won’t solve your security woes – but partying just might

Black Hat Parisa Tabriz talks Chrome, HTTPS, and more

Telcos enlist Google, Amazon to help protect Europe's data from Big Tech

Comment Orange, DT's plan to take on firms that create 'competitive asymmetries'

Campaigners call for immigration exemption in UK's Data Protection Act to be scrapped

Judicial review into law launched