Slashdot Mirror

← Back to Stories (view on slashdot.org)

Less Than 1 in 10 Gmail Users Enable Two-Factor Authentication (theregister.co.uk)

Posted by msmash on from the usability-vs-security dept.

It has been nearly seven years since Google introduced two-factor authentication for Gmail accounts, but virtually no one is using it. From a report: In a presentation at Usenix's Enigma 2018 security conference in California, Google software engineer Grzegorz Milka this week revealed that, right now, less than 10 per cent of active Google accounts use two-step authentication to lock down their services. He also said only about 12 per cent of Americans have a password manager to protect their accounts, according to a 2016 Pew study.

8 of 254 comments (clear)

  1. No thanks. by b0s0z0ku · · Score: 4, Insightful

    Not everyone wants to give Google more personal info -- working phone #, alternate email, etc and so forth.

    Also, this doesn't work well with standards-compatible email clients like Thunderbird or K-9.

  2. Needed it to protect my Bitcoin by Linsaran · · Score: 5, Informative

    About 3 years ago someone stole roughly 2.45 BTC from me.

    The event was a real wake up call for me security wise. They hacked e-mail address to access a password reset form on coinbase and they used social engineering on my cell phone carrier to forward SMS messages (which I used as 2FA on coinbase) to steal that money from me. Ever since then I've had all my 2FA set up through google authenticator instead and 2FA set up on literally everything I can.

    It was only worth about $700 at the time, but now . . .

    --
    In a bit of shameless internet panhandling, I accept Litecoin Donations at Lbd2oH9QsthD1GfuUXPyka12YxvWJYnBVf
  3. Phone number? SMS? by DontBeAMoran · · Score: 4, Insightful

    Why is everyone talking about cellphone numbers and SMS?

    Aren't we talking about Google's own Authenticator application?

    --
    #DeleteFacebook
  4. I used to, then stopped by Anonymous Coward · · Score: 5, Interesting

    I had 2FA enabled, then left my phone in an uber by accident and a subsequent passenger stole it. The emergency 2FA codes I'd printed out didn't work. In order to track and remotely disable my phone, I ended up having to use a computer which I'd thankfully left logged into gmail to disable 2FA for my account (which for some reason it allowed me to do without any 2FA code), after which I could do what needed doing. I haven't re-enabled it since because I realized that losing or breaking my phone is frankly more likely than having my password stolen, and losing my phone with 2FA enabled can be a disaster of its own (even if emergency codes work, what if I don't have them with me? And if I need to carry them with me whenever I stray more than an hour or so from home, that makes it much more likely that the emergency codes themselves could be lost or stolen.) As I learned after that incident, any other services you've tied into Google Authenticator 2FA also become a huge hassle to regain access to, because just installing Google Authenticator on your replacement phone won't cut it.

  5. Re:For obvious reasons ... by Obfuscant · · Score: 4, Insightful

    You don't need to give then your phone number, you can use the Google Authenticator app to generate the one time pass on your device.

    Yeah! This! You don' t need to give them your phone number, you can let their app do it for you. Easy peasy.

    The summary comments on only 12% of people "securing" their accounts with a password manager. A password manager doesn't secure your account. It stores passwords. If you have one account and can remember your password, you don' t need a password manager.

    A password manager is actually a one-point-of-failure way for a bad guy to get all your passwords.

  6. Re:Yes! by DickBreath · · Score: 4, Funny

    I'm not going to use 2 factor because I don't want Google to know my gmail address.

    --

    I'll see your senator, and I'll raise you two judges.
  7. Don't need to give them more info by Solandri · · Score: 4, Informative

    Your 2FA can be via mobile phone (SMS), another email account, the Google Authenticator app (though I'd recommend Authy instead), or a pre-generated set of recovery keys you can store on your computer (or write down on a post-it and stick it to your monitor if you wish). The latter two don't require giving up any personal info, and are arguably more secure anyway.

  8. Re:For obvious reasons ... by swillden · · Score: 4, Informative

    You don't need to give then your phone number, you can use the Google Authenticator app to generate the one time pass on your device.

    This app requires the following permissions:
    Access to your phone book
    Access to storage devices
    Access to your camera
    Access to your microphone
    Access to your call records
    Access to your photos
    Ability to send SMS
    Ability to make calls
    Access to device identifiers
    Access to Internet
    Access to Wifi

    It does not. I don't know if you're deliberately lying or looking at something else but the above is simply false.

    Per the info on Google Play, the Google Authenticator app requires:

    Camera
    - take pictures and videos
    Other
    - create accounts and set passwords
    - full network access
    - control Near Field Communication
    - use accounts on the device
    - control vibration

    Camera is used to grab QR codes. That's the mechanism by which Authenticator is generally configured. I'm not sure what "create accounts and set passwords" means. It has network access to check time. It uses NFC to deliver authentication codes via NFC. It "uses accounts on the device" to see what accounts you have that you might want to set up authentication for. It controls vibration to, well, vibrate.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.