Less than 10% of Gmail Users have Two-Factor Authentication Enabled
If you don’t utilize Gmail’s two-factor verification, you’re not alone. At the Usenix Enigma 2018 security gathering this week, Google software engineer, Grzegorz Milka uncovered that more than 90 percent of active Gmail clients haven’t employed two-factor authentication on their accounts, and that 10 percent of the individuals who have enabled it is having issues making sense of how to utilize the SMS validation codes sent to their phones.
The Register asked Milka why Google didn’t just make two-factor mandatory across all accounts, and the response was telling. “The answer is usability,” he replied. “It’s about how many people would we drive out if we force them to use additional security.”
Further Reading: 7 Ways I.T Admins Can Secure Accounts Against Phishing in G Suite
Two-factor authentication, or 2FA, is the protocol that includes an additional layer of authentication to the login procedure. When 2FA is enabled on an online service and you enter your username and passkey, you are prompted for an extra piece of information before you are permitted to sign in – normally an arbitrarily created series of letters and numbers sent through a text message or an application such as Google Authenticator. Other forms of 2FA require special hardware code (usually in the form of a USB keyfob such as Yubico’s Yubikey) certified by the FIDO Alliance, the industry consortium entrusted with creating interoperable security principles.
In October, a new method was introduced for the 2FA that replaced SMS with “Google Prompt“, a confirmation screen incorporated with Google Play services on Android and Google’s application on iOS. It doesn’t expect you to enter a passphrase, rather utilizing inference like the geographical location of your phone and the time of day checking your identity. The company also launched a new service, Advanced Protection Program, requiring high-level accounts for the use of security devices USB 2FA hardware instead of Google prompt or SMS.