Slashdot Mirror
Less Than 1 in 10 Gmail Users Enable Two-Factor Authentication (theregister.co.uk)
It has been nearly seven years since Google introduced two-factor authentication for Gmail accounts, but virtually no one is using it. From a report: In a presentation at Usenix's Enigma 2018 security conference in California, Google software engineer Grzegorz Milka this week revealed that, right now, less than 10 per cent of active Google accounts use two-step authentication to lock down their services. He also said only about 12 per cent of Americans have a password manager to protect their accounts, according to a 2016 Pew study.
I may not be part of the 1%, but I'm part of the 10%.
That's a lot considering how many email boxes they have.
and say your sextual emails will be stolen
that your bank will be hacked
that you will send virusii to your coworkers
if the answer is no johnny gmail user aint turning it on
So far I don't trust any of the password managers available for mobile. Better to keep it all in my head.
Not everyone wants to give Google more personal info -- working phone #, alternate email, etc and so forth.
Also, this doesn't work well with standards-compatible email clients like Thunderbird or K-9.
It's a fucking pain in the ass to use, and if you're into security, you're not using gmail...
About 3 years ago someone stole roughly 2.45 BTC from me.
The event was a real wake up call for me security wise. They hacked e-mail address to access a password reset form on coinbase and they used social engineering on my cell phone carrier to forward SMS messages (which I used as 2FA on coinbase) to steal that money from me. Ever since then I've had all my 2FA set up through google authenticator instead and 2FA set up on literally everything I can.
It was only worth about $700 at the time, but now . . .
In a bit of shameless internet panhandling, I accept Litecoin Donations at Lbd2oH9QsthD1GfuUXPyka12YxvWJYnBVf
2FA isn't secure if it only relies on a phone number as a substitute for cryptography. A single call to the outsourced customer service department of your phone company could transfer your number to the sim card of a malicious actor.
Because I refuse to give Google my cell phone number to text me, because there is no way in hell they need to be able to track me even further.
That's a big old "hard no" there, chief.
Google's 2FA is as much about them getting more information about you as it is your security.
I use my gmail account as a spam dump - you want to send me something that I'm not asking for, you get my gmail account. I suspect many other people use it for that as well. Note that this only assumes accounts using the "gmail" domain and not business accounts that are hosted by Google (and are gmail accounts in all but name).
Next on the list are kids who wouldn't be savvy enough (or have a credit credit/cell phone), then I don't see them using two factor authentication. Then you have companies that create accounts for testing and demonstrations. Finally, you have people who don't think their privacy, information, social security or credit card numbers are important enough to warrant entering a number that comes through on their phones when they log into their GMail accounts. Put them all together and 90% not using two factor authentication seems reasonable.
For the many people that will disagree with this post, you can voice your concerns via email at myke.predko@gmail.com
Mimetics Inc. Twitter
Why is everyone talking about cellphone numbers and SMS?
Aren't we talking about Google's own Authenticator application?
#DeleteFacebook
The main reason that I haven't enabled 2-factor on my account is that U.S. cellular carriers charge not only for sent messages but also for received messages. T-Mobile, for example, charges its pay-as-you-go customers 10 cents to send and 10 cents to receive. And no, Google and Twitter don't allow use of a FIDO U2F key or a TOTP client without also having a mobile phone number set up.
Part of the problem with password managers is that the reviews are so poorly written. I have looked for: free, easy to use, cross-platform. Yes, of course I have googled it. I still cannot find one that is good enough to recommend to my students.
I just did this for shits and giggles.. upon typing in my cellphone number, my username temporarily changed to a gmail account I deleted 6 years ago.
For example, when two people need (legitimate and approved) access to the same email account in order to receive confirmation codes from, say, our bank. The authenticators have to be set up simultaneously on two devices (one per person) and have to STAY in sync. If my wife's phone runs out of charge (this has happened), you have to go through the whole resync process again. I won't say it's a pain in the neck. I have a much lower opinion of it than that. I tossed two-factor out.
When Google sets up some method whereby two-factor can be (verifiably approved) so that two people can conveniently share an account. I'll be interested. But not until then.
You are correct that Google publishes a TOTP client called Google Authenticator. But when I installed Google Authenticator, I discovered that Google is unwilling to offer TOTP authentication unless the account holder has already linked a phone on a supported carrier. From "Install Google Authenticator":
what are you bitching about - you just set up the authenticator using the same secret. it works fine. i have two devices which can authenticate (my phone and a backup).
"but virtually no one is using it"
10% of 1 billion (https://www.statista.com/statistics/432390/active-gmail-users/) is 100 million people are using it, which I think is a lot of people, it's more than say the population of the UK.
It's also not a bullet proof solution, texting the code can be intercepted by anybody with the right equipment and location for example.
Having a randomly generated password which you change every 30 days, might well be stronger, and nothing stops governments or other authorised authorities from requesting the contents.
If you don't want you somebody else to read an email, use GPG/PGP solutions would be recommended and gives much better security, as the encryption is done on a per recipient basis, this is much more secure.
I think 100 million is a good start, but google could do more to make it easier and prompt people when they login.
I had 2FA enabled, then left my phone in an uber by accident and a subsequent passenger stole it. The emergency 2FA codes I'd printed out didn't work. In order to track and remotely disable my phone, I ended up having to use a computer which I'd thankfully left logged into gmail to disable 2FA for my account (which for some reason it allowed me to do without any 2FA code), after which I could do what needed doing. I haven't re-enabled it since because I realized that losing or breaking my phone is frankly more likely than having my password stolen, and losing my phone with 2FA enabled can be a disaster of its own (even if emergency codes work, what if I don't have them with me? And if I need to carry them with me whenever I stray more than an hour or so from home, that makes it much more likely that the emergency codes themselves could be lost or stolen.) As I learned after that incident, any other services you've tied into Google Authenticator 2FA also become a huge hassle to regain access to, because just installing Google Authenticator on your replacement phone won't cut it.
few are using TFA for gmail is because no one really uses gmail for much of anything.
"Fewer."
(this is not a
Everyone thinks their secret box is more important than their neighbor's secret box.
Guess what, all your emails are boring! I've been an SA since the 1990s and root on thousands of Unix servers dating back to SunOS-4, and no one has anything interesting in their emails.
Stop inflating your egos by thinking everyone is after your special sauce. Unless you're connected to a politician or celebrity, no one gives the fattest rats posterior what you gotta say or what you're sending plaintext.
is to remind my girlfriend to buy dogfood when we're out. Good luck to anyone who steals access.
What I'm bitching about is if ANYTHING happens to either of the two devices, you have to go to a fair amount of trouble to reinitialize the synchronization of the Google apps. My wife's phone does NOT live a sheltered life and has gone down on more than one occasion.
If you're using Google Apps on a domain with a delegated SSO, MFA may not be an option for you.
Won't someone pleeeeease!!!!!
Fap fap fap fap fap fap fap fap fap!!!!!
Whoever chooses to use gmail isn't very serious about privacy anyway.
I hope they realize that some of us use many of these accounts with non-standard, human-less devices that aren't PCs, tablets, nor cellular phones.
You might want to look up what TOTP actually stands for. Hint: the first word is Time.
You can configure as many devices with the same seed as you like. Your wife simply needed to turn her phone back on and give it a moment to sync time with the cell network.
You can get rich if you own a politician, but you have to be rich to buy one in the first place.
You have to add a mobile number to set up FIDO U2F key or a TOTP client but you can just remove it right after. IDK why they do it that way.
Last I checked, removing your mobile number from your account had the side effect of also removing FIDO U2F or TOTP from your account. At least Twitter does that. From "Twitter's 2-factor authentication has a serious problem" by Jack Morse:
Does Google also disable TOTP access after you have removed your phone number?
The 2FA at my employer uses a text message to give me a code that I can then use to VPN in. That's great. Except when my phone doesn't get reception. Or when I'm working in a room where carrying wireless devices isn't permitted. Or if I forget to bring my phone with me. Security isn't for free.
If you are using a random unique password per site, then the additional protection offered by 2FA is effectively zero.
With a password that is not re-used, there are two possible attacks (1) phishing, (2) malware. If you are tricked into entering your password on a phishing site then you will almost certainly be tricked into entering your 2FA. If you have malware it can jack your session anyway.
Set your wife and you up with your own accounts (and your own 2FA Authenticators). Then you can delegate access to your inboxes to each other if you want to share everything or set-up a third shared account that you delegate out and never bother to log into.
Or... use Authy as your authenticator app as it will let you sync to multiple devices. It's a less secure, but better than not using 2FA at all.
Passwords are bad, but are a lot less annoying than passwords plus 2FA. The loss of the second factor is basically a nightmare, and each service wants you to use their own app or whatever. Even changing phones becomes a hassle. I get it for an enterprise environment, where in an emergency, you can call your local IT guy an get them to reset it for you, but if something goes wrong with Google you're screwed. You can't even pay to talk to someone to get it fixed.
This is a moot point if you buy your own email. If somebody gets your password, change it yourself. Or, enable 2 factor authorization, and don't give Google your cell phone number. Email costs $2/month.
I don't respond to AC's.
The way I see it, it's not a question of what information you do or do not give Google. If you choose to use their service, then you're agreeing to their terms, and part of those terms is the information they collect. Don't like it? Find another email provider who doesn't collect any infomation. If you're really serious about security, open your wallet and get your own email through a private provider, or stand up your own server that you can secure however you want and thus can be assured your data is safe. The discussion of whether or not to use 2FA is completely separate from that.
I've used Google Authenticator to secure my Google account for a long time. When Google rolled out the advanced security option, I signed up as soon as I had FIDO keys in my possession. Why? Because your email is the gateway to everything else. Someone who gets access to your email can then get access to other accounts tied to that email address simply by going to the website and hitting "reset my password". Your concern should be making sure that someone can NOT accomplish that by having the ability to hack your shit remotely, and that's where 2FA can really help you.
Since I cannot have a cellphone in the office, no 2FA for gmail for me.
Two devices can stay in sync using the current date and time. If your bank couldn't figure out how to resync using that obvious mechanism I don't know what to tell you; every single authenticator app I've seen uses it.
The synchronization should be handled by the device's clock. Either your wife's phone does not work properly with such a basic feature (which is required for 2FA to work in the first place) or your bank has no idea how to properly handle 2FA security. If I were you I'd be worried about how they handle other types of security.
Two reasons:
1) robocalls; how do I know google won't share my phone number with the world?
2) if I lose my phone how do I access email?
I would like to use some sort of two-factor identification, but how does one get around these two problems?
It doesn't make any difference if you don't own a mobile.
[A pay-as-you-go plan] is cheap, but effectively worthless for anything other than a rare quick phone call or text message
I use it for exactly that. Longer voice calls wait until I arrive at home, where we have a phone on a different plan with unlimited minutes and zero texts. Longer text conversations wait until I arrive at home or at a hotspot, where I use Internet-based text chat or email.
and if it's actually a smartphone, then it's a waste of resources altogether.
I disagree. Even without cellular data, my Android phone is no more "a waste of resources" than an iPod touch. On this 5-inch tablet, I can still access locally stored information anywhere and connect to the Internet at any hotspot.
If you carry a device for emergencies only
I carry it not only for emergencies but also for the sort of urgencies for which one would have used a payphone in previous decades. The most common is calling home to arrange a ride after the city buses have stopped running for the night or for the weekend.
Your 2FA can be via mobile phone (SMS), another email account, the Google Authenticator app (though I'd recommend Authy instead), or a pre-generated set of recovery keys you can store on your computer (or write down on a post-it and stick it to your monitor if you wish). The latter two don't require giving up any personal info, and are arguably more secure anyway.
The concept is great, but if I accidentally left my phone at home, I'm locked out of my email.
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
So getting all your email isn't a concern
Here I assume you mean someone ELSE getting my email? Honestly that is less of a concern to me than Google having more information on me, yes.
That said Google already has my phone number through lots of other means so I',m not sure I care that much. Still have not turned on two-factor because I use secure passwords (yes I know two-factor would still be better). One impediment is having to re-enter passwords across several devices after I switch over.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Their 2FA system demanded a cellphone to work, then failed to make use of the authenticator once a device was set up to access gmail. Since cellphones basically dont have their vulnerabilities patched and it doesnt really use 2FA anyway, 2FA merely added an extra point of failure.... So why bother?
So far as I am concerened, if I lose or break the authenticator, I'd rather simply have a nuked account to replace than something which can be broken into by a thief using whatever self-defeat they build into the system to keep people who lose their own credentials happy.
So I switched them all to Google Phone number. In my google phone account I set up the SMS to echo to gmail. The gmail account also uses 2FA but these are my desktops at home and work, and one chromebook at home. So even if I lose my phone, I have my desktops to get the authentication codes.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
There is nothing in my GMail account worth the trouble. GMail is just for throwaway accounts. They are one micro-step above Mailinator in the grand heirarchy of email account value. For $10 a month to host my own domain and email, it's just not worth using those turkeys.
I tried Google's two factor for about six months. It was a PITA! The app would randomly stop working and when I was on another device It would make me jump through nigh infinite hoops to log me in. If the pain exceeds the user''s threshold they aren't going to use it unless they have to. I turned it off and have never tried it since. Most users have less patience than I do so 1 in 10 sounds about right.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
The problem is that we have too many passwords, too many accounts, too many things to bloody remember.
Comment removed based on user account deletion
Comment removed based on user account deletion
Bullshit. No matter who you are and how unimportant you are, two things will still apply:
1) Your money is just as good as anyone else's. If I could steal $10 from your wallet, I wouldn't stop and think, "wait, maybe I should steal $10 from Jeff Bezos instead. I'll go look for him." Bzzt. Your $10 will do just fine.
2) Regardless of how much or little your adversary values what they get from you (maybe the above fuckwit is right that they might not value it at all), you will negatively value the loss. It sucks to be a victim, even if it also sucks to be the thief. ;-) If Jeff Bezos steals $10 from you, maybe that's not a great windfall to him, but to you, ten bucks is still ten bucks.
And you determine that, by reading them. And finally, the Grand Fuckwittery that proves the above poster is a very special idiot:
It's not about "everyone" it's about "anyone" or "anything" since the attacker is probably an unconscious script. And the robot isn't after your special sauce specifically, it's after whatever the hell it can get.
Shit, I'm not done yet. Just when I think I have identified all the stupidity, I keep finding more:
So.. maybe about one in ten people? There are an awful lot of politicians and celebrities, and especially the politicians mix quite a bit. Anyone who wants to, can trivially "get connected" to a politician. If you haven't done it, it means you haven't tried. You don't even need much money; $100 will do. I'm not saying that'll get you their dick pics, but it might!
2FA has made me stop using my Google account. I previously used it for some Google groups. But now when I get an email saying that there is a new message there, I click the link to read it, and then give-up because I have to do some process that involves a text message and entering in a code. At that point I just close the window and forget about it. There are better forums out there that don't require such nonsense. I don't even know how they got my phone number in the first place - probably because I have an Android phone that uses the account.
On the other hand, I will happily use 2FA with my work VPN and my bank. There's something worth securing there. Google just set the bar too low. You want to send me a text message to confirm a comment on a YouTube video? No thanks.
People used to complain that they had to remember too many passwords to different services. So now, everyone logs into everything via Google or Facebook, which makes them 10x more vulnerable. So now we have to use 2FA to secure everything because it is such a treasure trove of data. We were better-off the old way.
Yubikey and Lastpass. Even secures my computer with the former. You can even store PGP keys if one wants to do that. For those with a mobile phone there's a NFC version as well.
Like Apple's, etc.?
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
TFA is just a pain in the ass to use, I'm surprised that the numbers seem to be even in the higher one-digit percentage.
For, who uses gmail for anything serious?
Get two U2F devices and associate them both to the account. If one gets lost, remove it and get another one. No clock or battery.
My wife and I both do this for our own accounts, if she loses her device I help her get back in and vice-versa.
Android Apps and Third-Party Auth Integrations that don't support 2FA...
Really...I enabled 2FA across my google accounts and had to disable it b/c I had too many things that didn't support the 2FA protocols. I still use the app password for Gmail though; it's still partially enabled in that respect. But until Android Apps and third-party auth integrations are forced to support it it won't go anywhere. I'd love to do so, especially using a FIDO/YubiKey solution; though again Android fails there as too many Android devices don't support the hardware tokens via USB, even with the dongles to hook them up.
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
Thanks to SS7, two factor authentication is less secure than a decent password. All the attacker needs is your phone number.
Google helped create the FIDO U2F standard and use it themselves but don't encourage their subscribers to use it. Google authenticator and other phone-based 2FA is primarily a way to link a real name and address to an account. Not that it matters, most people access their Google account from their phone anyway.
Google allows a second FIDO U2F device to be linked to an account, allowing an account to be shared (without password sharing), or to be accessed when the first device is lost/stolen.
How can they tell? One can use a password manager without using its random-password generator. A few words about password managers: It allows mobility, which can be lost or stolen, so back-ups are necessary (I have 4). That won't help someone at the point of loss, but it will be possible to resume normal life in short order. It creates a single point of failure, so good AV and anti-spyware practices are needed. Plus, of course, use a manager that provides real encryption on mobile devices. So many Android apps move the data file to a hidden directory, then rename it, and possibly ROT cipher the first few kilobytes: That is fake security.
The places I most need 2FA are places where I will not have my phone and do not want to carry around a pad of one-use codes. (i.e. south east asian holidays).
If I use a second email address for the 2FA then it's exactly the same problem, except they can get hack two emails instead of one.
I bought a U2F device to secure more of my online accounts. I use google docs, but not gmail or any of the other google stuff.
Wanted to secure my github account as well, but they wouldn't allow U2F without a cell phone connection either. Actually bought a $5 device through the github offer.
Can't ever get google to respond, but github customer service did. I explained my desire and they checked if a cell phone was mandatory. It was.
Too bad. That U2F device has been a complete waste.
... No one in their right mind uses google email for anything private life (including contacts) or employment. Get a protonmail account. Better to use gmail for light use and get hacked than to give Google your phone number. If something looks fishy, just make another account for your website sign ups and spam.
It's one point to attack/corrupt/infiltrate.
So I'm leery of using a password manager.
Instead I have really long algorithmic passwords.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
2FA is more secure, but annoying. Massively annoying if you log into several 2FA secured accounts over the day. I'm accepting it for online banking and similarily important business, but not for my throwaway gmail accounts.
Clef was 2FA done right, and I have high hopes for SQRL, but it seems slow in coming out with actual clients that normal people can use.
As long as the usability factor for 2FA is somewhere between annoying and hostile, it won't see more adoption.
Assorted stuff I do sometimes: Lemuria.org
I just checked, and the text is indeed out of date. I was able to set up 2FA for my account by using a Samsung Galaxy Tab A 8" (an Android tablet with Google Play) as my second factor instead of a cell phone.
Twitter has some catching up to do.
This man assisted me in hacking my CHEATING HUSBAND Facebook account and he is a very good hacker for services like :whats-app, call logs, test messages etc. He delivers in 2hrs or less you can email him on ENRIQUEHACKDEMON11@GMAIL.COM or WhatsApp: +1(628)203-7005 ,he might ask for who referred you to him say Maddie
It is even worse than that
If you travel or use a VPN, google forces you to use 2FA
You must have your phone with you to log into your google account.
So, if I am overseas and I lose my phone, I can't log into my account and disable it asap.
there is a nice little button that says I don't have a phone - it does nothing except tell you to use the phone or your home computer.
Yep, fly 14,000 kilometres to turn your stolen phone off - F*k'n hopeless
I am very happy with my level of security, no one knows my password.
If I have to log in from a computer I don't trust, I change the password as soon as I can.
It's not that hard.
Google - stuffing up things to work very well
10% of the millions using Gmail is a long way from "no one"
Fewer than 1 in 10.
You illiterate American cretins...
Two factor authentication often means getting a text message and that requires typically a cell phone that comes with more or less significant cost. Sure, I have one, almost everyone has one, but I rarely use it and pulling it out just to fish for a one time key so that I can download my spam emails is highly inconvenient. It also defies any attempt in automation. I have my emails downloaded from the server every two hours. The volume is so large that I otherwise would clog up the various email accounts I deal with. I'd go for two factor if the second factor is a hardware dongle that authorizes a system to download emails. And yes, I do not use the slow, ad laden and clunky web portals of email providers. There you have it, other users may have different reasons.
I don't bother because my Gmail account is my throw-away account. It's the email I give out if I absolutely HAVE to, to sign up for some web site or something. I also know I have a fairly ("asdfasdf") password on it because I DON'T CARE. Things I do care about are under a different email, with strong passwords and TFA .
It is more important to teach someone what not to click on then how to use a password manager. 2-factor authentication is important though and in my opinion should be forcibly enabled by websites that support it.
I started using 2FA recently, before that unique passwords & pw manager. I've never been bitten by security problems, but I'm relatively low profile.
Working with u2f (yubikey) and totp (google authenticator) has been a bit annoying. Most sites don't support u2f, or even 2FA in general. The ones I want to have 2FA, like my bank, do not or they implement it through sms/email. Some sites, like Facebook, have issues with multiple u2f tokens (ie. second and subsequent tokens do not work). It requires extra effort to get gmail working in external clients with saved device trust instead of 2FA as well.
Actually using u2f has been nice though, even with chrome on android via nfc. Once things are set up on a site, it's very reliable.
Who uses a web based email server and expects security? Even back in the 90s people knew better than rely on Hotmail, Yahoo, and Gmail. I don't bother with high security on gmail as it is my throw away spamertizer catcher address used to sign onto web pages that require a valid email to read their articles.
NRRPT/RCT