Slashdot Mirror

← Back to Stories (view on slashdot.org)

Less Than 1 in 10 Gmail Users Enable Two-Factor Authentication (theregister.co.uk)

Posted by msmash on from the usability-vs-security dept.

It has been nearly seven years since Google introduced two-factor authentication for Gmail accounts, but virtually no one is using it. From a report: In a presentation at Usenix's Enigma 2018 security conference in California, Google software engineer Grzegorz Milka this week revealed that, right now, less than 10 per cent of active Google accounts use two-step authentication to lock down their services. He also said only about 12 per cent of Americans have a password manager to protect their accounts, according to a 2016 Pew study.

37 of 254 comments (clear)

  1. No thanks. by b0s0z0ku · · Score: 4, Insightful

    Not everyone wants to give Google more personal info -- working phone #, alternate email, etc and so forth.

    Also, this doesn't work well with standards-compatible email clients like Thunderbird or K-9.

    1. Re:No thanks. by chispito · · Score: 2

      Not everyone wants to give Google more personal info

      How is giving Google your phone number more worrisome than giving Google all of your correspondence?

      --
      The Daddy casts sleep on the Baby. The Baby resists!
    2. Re:No thanks. by TheReaperD · · Score: 2

      More to the point, Google already knows your real name, address, phone numbers, sexual preferences (even ones you've never told anybody), shopping habits, travel behaviors and more than I can imagine. So, what difference does it make? Either don't use their service because you don't like the company's behavior (not going to change what they know about you, in this case), or use it to it's fullest potential and get over yourself.

      --
      "Be particularly skeptical when presented with evidence confirming what you already believe." -
  2. Needed it to protect my Bitcoin by Linsaran · · Score: 5, Informative

    About 3 years ago someone stole roughly 2.45 BTC from me.

    The event was a real wake up call for me security wise. They hacked e-mail address to access a password reset form on coinbase and they used social engineering on my cell phone carrier to forward SMS messages (which I used as 2FA on coinbase) to steal that money from me. Ever since then I've had all my 2FA set up through google authenticator instead and 2FA set up on literally everything I can.

    It was only worth about $700 at the time, but now . . .

    --
    In a bit of shameless internet panhandling, I accept Litecoin Donations at Lbd2oH9QsthD1GfuUXPyka12YxvWJYnBVf
    1. Re:Needed it to protect my Bitcoin by Solandri · · Score: 2

      I'd recommend Authy instead of Google Authenticator. It's compatible, but adds a bunch of features like multi-device support, a PC client, and encrypted backup of its database. Most importantly, it simply adds a password. If you have Google Authenticator on your phone and you don't have the lockscreen enabled (or you hand your phone to a friend with it unlocked), anyone who picks up/steals the phone can use your Google Authenticator to login to the accounts it's supposed to be protecting. With Authy, you have to enter a passcode or password to be able to use it. It's free if you use it fewer than 100 times per month. (For enterprise use, try Duo.)

    2. Re:Needed it to protect my Bitcoin by Linsaran · · Score: 2

      I over simplified my above explanation, what I said was technically accurate, but I should mention that they used the hijacked phone account to create an Authy account 'in my name' that Coinbase implicitly trusted even though I had never used Authy with them in the past. I'm not exactly sure why the Authy account was necessary for whatever scheme those assholes were pulling to get into accounts; but the fact that they used it soured me to the service. Not terribly worried about the google auth since I have a lockscreen set up. And if I hand my phone to a friend unlocked and they start trying to steal my account info then I think I have bigger problems.

      Thanks for the suggestion though.

      --
      In a bit of shameless internet panhandling, I accept Litecoin Donations at Lbd2oH9QsthD1GfuUXPyka12YxvWJYnBVf
  3. For obvious reasons ... by Anonymous Coward · · Score: 2, Interesting

    Less Than 1 in 10 Gmail Users Enable Two-Factor Authentication

    Because I refuse to give Google my cell phone number to text me, because there is no way in hell they need to be able to track me even further.

    That's a big old "hard no" there, chief.

    Google's 2FA is as much about them getting more information about you as it is your security.

    1. Re:For obvious reasons ... by grub · · Score: 2

      You don't need to give then your phone number, you can use the Google Authenticator app to generate the one time pass on your device.

      --
      Trolling is a art,
    2. Re:For obvious reasons ... by tepples · · Score: 2

      You don't need to give then your phone number, you can use the Google Authenticator app to generate the one time pass on your device.

      As I wrote in my reply to DontBeAMoran, you can't set up TOTP until you've set up SMS.

    3. Re:For obvious reasons ... by Obfuscant · · Score: 4, Insightful

      You don't need to give then your phone number, you can use the Google Authenticator app to generate the one time pass on your device.

      Yeah! This! You don' t need to give them your phone number, you can let their app do it for you. Easy peasy.

      The summary comments on only 12% of people "securing" their accounts with a password manager. A password manager doesn't secure your account. It stores passwords. If you have one account and can remember your password, you don' t need a password manager.

      A password manager is actually a one-point-of-failure way for a bad guy to get all your passwords.

    4. Re:For obvious reasons ... by swillden · · Score: 4, Informative

      You don't need to give then your phone number, you can use the Google Authenticator app to generate the one time pass on your device.

      This app requires the following permissions:
      Access to your phone book
      Access to storage devices
      Access to your camera
      Access to your microphone
      Access to your call records
      Access to your photos
      Ability to send SMS
      Ability to make calls
      Access to device identifiers
      Access to Internet
      Access to Wifi

      It does not. I don't know if you're deliberately lying or looking at something else but the above is simply false.

      Per the info on Google Play, the Google Authenticator app requires:

      Camera
      - take pictures and videos
      Other
      - create accounts and set passwords
      - full network access
      - control Near Field Communication
      - use accounts on the device
      - control vibration

      Camera is used to grab QR codes. That's the mechanism by which Authenticator is generally configured. I'm not sure what "create accounts and set passwords" means. It has network access to check time. It uses NFC to deliver authentication codes via NFC. It "uses accounts on the device" to see what accounts you have that you might want to set up authentication for. It controls vibration to, well, vibrate.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  4. Phone number? SMS? by DontBeAMoran · · Score: 4, Insightful

    Why is everyone talking about cellphone numbers and SMS?

    Aren't we talking about Google's own Authenticator application?

    --
    #DeleteFacebook
    1. Re:Phone number? SMS? by bluefoxlucid · · Score: 3, Insightful

      You can use a FIDO U2F device, too.

      I have 2FA on. I'm a Congressional Candidate with a technology background; if I got hacked for not taking basic security countermeasures, I'd drop out of the race.

      --
      Support my political activism on Patreon.
    2. Re:Phone number? SMS? by swillden · · Score: 2

      I have no idea what a Google Authenticator App is, let alone how it works, or what FIDO is or U2F. None of those things make sense, so why in the world would I ever use them?

      "Do a search" the lazy nerd would say.

      I'm a lazy nerd and that's not what I would say. I would say: "Go to myaccount.google.com and click on 'Signing in to Google'. It explains all of the options."

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  5. Cost per received message by tepples · · Score: 2

    The main reason that I haven't enabled 2-factor on my account is that U.S. cellular carriers charge not only for sent messages but also for received messages. T-Mobile, for example, charges its pay-as-you-go customers 10 cents to send and 10 cents to receive. And no, Google and Twitter don't allow use of a FIDO U2F key or a TOTP client without also having a mobile phone number set up.

    1. Re:Cost per received message by tepples · · Score: 2

      I pay $35/month and that includes unlimited USA talk and text with my limited data. Maybe you need to get another carrier. Or at least another plan.

      I currently pay $3 per month to T-Mobile and get 30 minutes of USA talk, 30 USA texts, or a combination thereof per month, and zero cellular data. Thus the price difference between my pay-as-you-go plan and your unlimited plan is $32 per month or $384 per year. I'm interested to read a good case for how 2FA would be worth that much to me.

    2. Re:Cost per received message by torkus · · Score: 2

      Exactly how many times are you going to point out the SMS requirement to set up TOTP in a /. posting?

      SMS also provides a fallback if your auth token goes poof...and if you're a PAYG cell user and want the security then you spend the 10c on an SMS or two.

      BESIDES all that...google already knows your phone number if you use their services. Guaranteed. It's extremely unlikely they haven't parsed it from one of your emails, order receipts, account setup forms, signature lines, etc. already...or that of someone else you're associated with. Stamping your feet and 'refusing' to give that info up is as childish as it is pointless.

      Or, ya know, don't use a free TOTP on a free email service. Go pay for something that suits your particular needs.

      --
      You can get rich if you own a politician, but you have to be rich to buy one in the first place.
  6. Must use SMS to set up TOTP by tepples · · Score: 3, Informative

    You are correct that Google publishes a TOTP client called Google Authenticator. But when I installed Google Authenticator, I discovered that Google is unwilling to offer TOTP authentication unless the account holder has already linked a phone on a supported carrier. From "Install Google Authenticator":

    To set this up, first you need to complete SMS/Voice setup. Then, follow the directions for your type of device explained below.

    1. Re:Must use SMS to set up TOTP by sexconker · · Score: 2

      When I had to re-set up Google Authenticator for my Google account last February (due to my prior phone bricking itself), I was forced by Google to give them my phone number for an SMS message / voice call in order to set up the authenticator app.

  7. I used to, then stopped by Anonymous Coward · · Score: 5, Interesting

    I had 2FA enabled, then left my phone in an uber by accident and a subsequent passenger stole it. The emergency 2FA codes I'd printed out didn't work. In order to track and remotely disable my phone, I ended up having to use a computer which I'd thankfully left logged into gmail to disable 2FA for my account (which for some reason it allowed me to do without any 2FA code), after which I could do what needed doing. I haven't re-enabled it since because I realized that losing or breaking my phone is frankly more likely than having my password stolen, and losing my phone with 2FA enabled can be a disaster of its own (even if emergency codes work, what if I don't have them with me? And if I need to carry them with me whenever I stray more than an hour or so from home, that makes it much more likely that the emergency codes themselves could be lost or stolen.) As I learned after that incident, any other services you've tied into Google Authenticator 2FA also become a huge hassle to regain access to, because just installing Google Authenticator on your replacement phone won't cut it.

    1. Re:I used to, then stopped by swillden · · Score: 2

      Add some more 2FA options.

      Google allows you to set up a FIDO security token AND the Authenticator app AND one or text/voice numbers AND a set of backup codes, any one of which will get you in. With enough different options, you'll never be locked out.

      I use all of the above. There is a caveat on the text/voice numbers, which is that attackers have been able to hijack cell numbers, so consider that carefully... but if you also have a good password you've significantly raised the bar for anyone to hijack your account if they have to both steal your password (which you never use anywhere else, and never enter into any form that isn't on a Google site, right?) and hijack your cell. It's also a good idea to test your backup codes periodically, though I've never had mine fail to work.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  8. obligatory Game of Thrones callback by stereoroid · · Score: 3, Informative

    "Fewer."

    --
    (this is not a .sig)
  9. Everyone Leads a Boring Life by Anonymous Coward · · Score: 2, Interesting

    Everyone thinks their secret box is more important than their neighbor's secret box.

    Guess what, all your emails are boring! I've been an SA since the 1990s and root on thousands of Unix servers dating back to SunOS-4, and no one has anything interesting in their emails.

    Stop inflating your egos by thinking everyone is after your special sauce. Unless you're connected to a politician or celebrity, no one gives the fattest rats posterior what you gotta say or what you're sending plaintext.

  10. Re:Security by authority by vux984 · · Score: 2

    "2FA isn't secure if it only relies on a phone number as a substitute for cryptography. A single call to the outsourced customer service department of your phone company could transfer your number to the sim card of a malicious actor."

    So now it requires they know your phone number, and dedicate up to an hour or so of human time, of a human capable of social engineering a telco rep...to transfer a sim. They'll do that for a specific high value target, but not some rando.

    Plus, without 2FA, i've already pwned your account and stolen your bitcoins by the time you read this post. With 2FA, assuming i can even figure out your phone number (not a given), I'll still be on hold with your telco for another 10 minutes before I can even attempt to start social engineering a SIM transfer.

    Your absolutely right... 2FA isn't perfect, especially SMS based 2FA. But its about a million times better than no 2FA at all.

  11. 2FA usability sucks by juancn · · Score: 2

    Passwords are bad, but are a lot less annoying than passwords plus 2FA. The loss of the second factor is basically a nightmare, and each service wants you to use their own app or whatever. Even changing phones becomes a hassle. I get it for an enterprise environment, where in an emergency, you can call your local IT guy an get them to reset it for you, but if something goes wrong with Google you're screwed. You can't even pay to talk to someone to get it fixed.

  12. No cellphone access, no 2FA by mencik · · Score: 2

    Since I cannot have a cellphone in the office, no 2FA for gmail for me.

  13. Re:Yes! by DickBreath · · Score: 4, Funny

    I'm not going to use 2 factor because I don't want Google to know my gmail address.

    --

    I'll see your senator, and I'll raise you two judges.
  14. Don't need to give them more info by Solandri · · Score: 4, Informative

    Your 2FA can be via mobile phone (SMS), another email account, the Google Authenticator app (though I'd recommend Authy instead), or a pre-generated set of recovery keys you can store on your computer (or write down on a post-it and stick it to your monitor if you wish). The latter two don't require giving up any personal info, and are arguably more secure anyway.

  15. Re:Yes! by ShanghaiBill · · Score: 2

    Just because my browser has a built-in password manager, doesn't mean I use it. I use Keepass instead

    You aren't using it because you are already using something else. But for 90% of the public, if a popup asks "Do you want Chrome to remember this password?", they are going to think "Sure, why not?". But if someone later asks them "Are you using a password manager?", they will say "No", because they don't even know what that is.

  16. I Don't Always Have My Phone Handy by hduff · · Score: 2

    The concept is great, but if I accidentally left my phone at home, I'm locked out of my email.

    --
    "I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
  17. Indeed by OneHundredAndTen · · Score: 2

    For, who uses gmail for anything serious?

  18. Re:Yes! by swillden · · Score: 2

    Anyone clicking "Yes" on a "Remember the password for this Site?" prompt in Chrome, Firefox or Safari is a complete moron. Why would anyone trust Apple, Google or Mozilla with the Keys To Their Kingdom? I might have trusted Mozilla with them a decade ago, but not any more.

    If you use your gmail account as the primary account on all of your other sites, you are trusting Google with the Keys to Your Kingdom. Substitute whatever email service provider you use, because anyone who controls your email can almost certainly reset the password on any other account you have, unless that other account has some 2FA of its own. Security questions are weak in general, but even weaker against someone who has all your email and can mine it for answers.

    Also... you're apparently saying that you trust Google, Mozilla or Apple enough to type your passwords into their browsers but not enough to use their password storage solutions. Does that make any sense at all? The only way it makes sense is if you assume that they're not competent to properly secure the password database (which is fairly easy), but are competent enough to get the rest of the security right (which is very hard). It clearly makes no sense if you assume they might be maliciously interested in stealing your passwords, because you're typing your passwords into their browser.

    And, FWIW, if you set a sufficiently-long sync password on Chrome, Google has no access to the passwords that Chrome stores for you. Yes, they all get uploaded to Google, so they can be synced between Chrome instances on different machines, but they're all encrypted with your sync password.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  19. Re:My primary use of email by Ksevio · · Score: 2

    Well guess what? I'm going to hack your email and you'll be getting dogfood WHEN YOU STILL HAVE SOME! AHAHAHAHA

  20. Re:Yes! by sexconker · · Score: 2

    The "second factor" in most cases can absolutely be put into something like KeePass if you have the plugins to work with it. It's just a seed you jam into a hashing algorithm along with the current time.

    The only ones you need a third party for are those which are unknown to you (an awful idea). For example, a site sending you a one-time code (randomly generated, hopefully) via text or email. That's not 2 factor, that's 2 channel. (And SMS is a joke in terms of security, and email just verifies the person logging in has access to that email, there's not actual check that they are the person they claim to be.)

    Multi-factor authentication traditionally relies on 3 things. Something you are (a fat, ugly slob), something you have (the worst BO of all time) and something you know (a password). In the real world this works just fine. The guard at your workplace knows you, asks to see your badge, and you put in you password into whatever terminal. There is active verification of these 3 different types of criteria. On the internet, they try to ape that security but in the end it's all "something you know". Whether that's the password, the seed for somsone's password-generating clock, their phone number to pull the SMS down, a hash of their retina/fingerprint/anus/etc. it doesn't matter.

  21. Re:Dont trust by Shikaku · · Score: 2

    My keyfile is the a specific string of text (with no returns to avoid the /n/r and /n text file differences between Windows and *nix). That way I can't lose it unless I forget that string of text, and I can easily remake it if need be from any text editor.

  22. fido u2f has low adoption, but is convenient. by bytestorm · · Score: 2

    I started using 2FA recently, before that unique passwords & pw manager. I've never been bitten by security problems, but I'm relatively low profile.

    Working with u2f (yubikey) and totp (google authenticator) has been a bit annoying. Most sites don't support u2f, or even 2FA in general. The ones I want to have 2FA, like my bank, do not or they implement it through sms/email. Some sites, like Facebook, have issues with multiple u2f tokens (ie. second and subsequent tokens do not work). It requires extra effort to get gmail working in external clients with saved device trust instead of 2FA as well.

    Actually using u2f has been nice though, even with chrome on android via nfc. Once things are set up on a site, it's very reliable.

  23. Who uses? by MercTech · · Score: 2

    Who uses a web based email server and expects security? Even back in the 90s people knew better than rely on Hotmail, Yahoo, and Gmail. I don't bother with high security on gmail as it is my throw away spamertizer catcher address used to sign onto web pages that require a valid email to read their articles.

    --
    NRRPT/RCT