Who's using 2FA? Sweet FA. Less than 10% of Gmail users enable two-factor authentication

Your daily dose of digital depression


Usenix Enigma It has been nearly seven years since Google introduced two-factor authentication for Gmail accounts, and virtually no one is using it.

In a presentation at Usenix's Enigma 2018 security conference in California, Google software engineer Grzegorz Milka today revealed that, right now, less than 10 per cent of active Google accounts use two-step authentication to lock down their services. He also said only about 12 per cent of Americans have a password manager to protect their accounts, according to a 2016 Pew study.

We polled El Reg readers on Twitter just before we published this piece, asking: "What percentage, rounded to nearest integer, of Gmail users do you think use two-factor authentication?" Out of 838 followers who responded within the hour, 82 per cent correctly selected less than 10 per cent. The rest picked more than 10 per cent.

Two-step auth stats

Upsetting ... Milka's stats at Engima

The Register asked Milka why Google didn’t just make two-factor mandatory across all accounts, and the response was telling. “The answer is usability,” he replied. “It’s about how many people would we drive out if we force them to use additional security.”

Please, if you haven't already done so, just enable two-step authentication. This means when you or someone else tries to log into your account, they need not only your password but authorization from another device, such as your phone. So, simply stealing your password isn't enough – they need your unlocked phone, or similar, to to get in.

Google has tried to make the whole process easier to use, though it seems netizens can’t handle it. More than 10 per cent of those trying to use the defense mechanism had problems just inputting an access code sent via SMS.

What if you don't have two-step authentication, and someone hijacks your account? Well, Google is on the look out for that, too.

Stages of an attack

Anatomy of a hack ... An account hijacker's actions

To spot criminals and other miscreants commandeering a victim's webmail inbox, the Chocolate Factory has increased its use of heuristics to detect dodgy behavior. A typical attacker has a typical routine – once they manage to get into an account, they shut down notification to the owner, ransack the inbox for immediately valuable stuff like Bitcoin wallet stuff or intimate photos, copy the contacts lists, and then install a filter to mask their action from the owner.

By looking out for and alerting folks to these shenanigans, Google hopes to make account hijackings less commonplace. But, given netizens' lack of interest in security, warnings about suspicious activity are unlikely to get people moving to protect their information. ®


Keep Reading

Google's home security package flies the Nest, Chocolate Factory pledges software support – for now

In brief Plus: Immigration lawyers for Mountain View breached, SonarQube hack worse than thought, and more

Irony isn't dead... Facebook sues EU on data privacy grounds for requesting too much personal data

'Exceptionally broad' demands reveal too much about our staff!

China-linked hacking gang ‘APT10’ named as probable actor behind extended attacks on Japanese companies

Campaign even targeted branch offices inside China and sought secrets of automotive and engineering companies

Staffer emails compromised and customer details exposed in T-Mobile US's third security whoopsie in as many years

And there it is – exactly what telco was fretting over in FY'19 results

FCC sucks its teeth, clicks its tongue, says: Yeah, AT&T, Sprint, T-Mobile US, Verizon gleefully sold your location data. Guess we should fine them?

How much you make, Randy? Wanna cough up, I dunno, twice that or something?

New lawsuit: Why do Android phones mysteriously exchange 260MB a month with Google via cellular data when they're not even in use?

Ad giant sued after mobile allowances eaten by hidden transfers

Google tells Chrome extension devs to declare their code's usage of personal data

Ad biz is serious about making others disclose information collection

Here's US Homeland Security collaring a suspected arsonist after asking Google for the IP addresses of folks who made a specific search

Don't worry, says the internet giant, this doesn't happen too often

Biting the hand that feeds IT © 1998–2020