Less than 10% of Gmail users have Two-Factor Authentication Enabled
If you don’t use Gmail’s two-factor authentication, you’re not the only one. At the Usenix Enigma 2018 security conference this week, Google software engineer Grzegorz Milka revealed that more than 90 percent of active Gmail users havn’t enabled two-factor authentication on their accounts, and that 10 percent of those who have activated it have had trouble figuring out how to use the SMS authentication codes sent to their phones.
“It’s about how many people would we drive out if we force them to use additional security,” Milka said, when asked why Google doesn’t enable two-factor authentication by default. “The answer is usability.”
Two-factor authentication, or 2FA, is a protocol that adds an extra layer of authentication to the login process. When you’ve enabled 2FA on an online service and enter your username and password, you’re prompted for an additional bit of information before you’re allowed to sign in — usually a randomly generated string of letters and numbers sent via text message or an app like Google Authenticator. Other forms of 2FA require a special hardware token (typically in the form of a USB keyfob such as Yubico’s Yubikey) certified by the FIDO Alliance, the industry consortium tasked with developing interoperable security standards.
So why don’t people use it? According to some researchers, they don’t trust it. In a study conducted by cybersecurity firm Sophos in 2016, over 15 percent of respondents cited privacy concerns about 2FA. Their fears aren’t baseless: Some experts have pointed to weaknesses in SMS-based 2FA, citing the risk of interception by attackers who manage to spoof phone numbers.
Google, for its part, lets G Suite enterprise customers actively disallow weak SMS authentication tokens, and it’s working on alternatives.
In October, it rolled out a new method for 2FA that replaced SMS with the “Google Prompt“, a verification screen built into Google Play services on Android and the Google app on iOS. It doesn’t require you to enter a passphrase, instead using heuristics like your phone’s geographic location and the time of day verify your identity. The company’s also launched a new service, Advanced Protection Program, that requires high-profile accounts to use hardware-based USB 2FA security keys instead of the Google Prompt or SMS.
“One of the truths we’ve found is that people won’t accept more security than they think they need,” Mark Risher, a manager on Google’s identity systems team told The Verge in an interview in July. “As a large-scale consumer internet provider, we want to find that right balance.”
Source: The Register