Less Than 10% of Google Accounts Use Two-Factor Authentication

At the Usenix Enigma 2018 conference held in California, Google specialist Grzegorz Milka presented a report highlighting a troubling situation regarding two-factor authentication (2FA). Although it has been seven years since Google allowed Gmail users to enable 2FA for their accounts, this valuable security feature is still rarely used.

According to Milka, less than 10% of active Google accounts are currently protected by two-factor authentication. Furthermore, a 2016 Pew Research Center study found that only 12% of American users use a password manager to protect their accounts.

Why Isn’t Two-Factor Authentication Mandatory?

After the presentation, journalists from The Register asked Milka why Google hasn’t made two-factor authentication mandatory, given the low adoption rate. Milka explained that the main issue is ease of use. Google is concerned that forcing additional security measures might be seen as too complicated, causing users to react negatively or even stop using Google services altogether. While the company is working to make two-factor authentication simpler and more user-friendly by offering various options, for most users, even entering a phone number to receive SMS verification codes is considered too difficult.

As a result, Google engineers are currently focusing on improving heuristic algorithms designed to detect suspicious behavior (i.e., account hacking attempts).

How Hackers Exploit Compromised Accounts

Milka also shared that after gaining access to someone else’s account, most hackers follow a similar pattern: they disable notifications for the real owner, search emails for valuable information (such as cryptocurrency wallet details, bank card data, or private photos), copy the contact list, and then set up filters to hide their activity from the account owner.

Photo: The Register