Less Than 1 in 10 Gmail Users Enable Two-Factor Authentication

It has been nearly seven years since Google introduced two-factor authentication for Gmail accounts, but virtually no one is using it. From a report: In a presentation at Usenix's Enigma 2018 security conference in California, Google software engineer Grzegorz Milka this week revealed that, right now, less than 10 per cent of active Google accounts use two-step authentication to lock down their services. He also said only about 12 per cent of Americans have a password manager to protect their accounts, according to a 2016 Pew study.

Needed it to protect my Bitcoin

[Linsaran]

About 3 years ago someone stole roughly 2.45 BTC from me.

The event was a real wake up call for me security wise. They hacked e-mail address to access a password reset form on coinbase and they used social engineering on my cell phone carrier to forward SMS messages (which I used as 2FA on coinbase) to steal that money from me. Ever since then I've had all my 2FA set up through google authenticator instead and 2FA set up on literally everything I can.

It was only worth about $700 at the time, but now . . .

Must use SMS to set up TOTP

[tepples]

You are correct that Google publishes a TOTP client called Google Authenticator. But when I installed Google Authenticator, I discovered that Google is unwilling to offer TOTP authentication unless the account holder has already linked a phone on a supported carrier. From "Install Google Authenticator":

To set this up, first you need to complete SMS/Voice setup. Then, follow the directions for your type of device explained below.

obligatory Game of Thrones callback

[stereoroid]

"Fewer."

Don't need to give them more info

[Solandri]

Your 2FA can be via mobile phone (SMS), another email account, the Google Authenticator app (though I'd recommend Authy instead), or a pre-generated set of recovery keys you can store on your computer (or write down on a post-it and stick it to your monitor if you wish). The latter two don't require giving up any personal info, and are arguably more secure anyway.

Re:For obvious reasons ...

[swillden]

You don't need to give then your phone number, you can use the Google Authenticator app to generate the one time pass on your device.

This app requires the following permissions:
Access to your phone book
Access to storage devices
Access to your camera
Access to your microphone
Access to your call records
Access to your photos
Ability to send SMS
Ability to make calls
Access to device identifiers
Access to Internet
Access to Wifi

It does not. I don't know if you're deliberately lying or looking at something else but the above is simply false.

Per the info on Google Play, the Google Authenticator app requires:

Camera
- take pictures and videos
Other
- create accounts and set passwords
- full network access
- control Near Field Communication
- use accounts on the device
- control vibration

Camera is used to grab QR codes. That's the mechanism by which Authenticator is generally configured. I'm not sure what "create accounts and set passwords" means. It has network access to check time. It uses NFC to deliver authentication codes via NFC. It "uses accounts on the device" to see what accounts you have that you might want to set up authentication for. It controls vibration to, well, vibrate.