back to article Who's using 2FA? Sweet FA. Less than 10% of Gmail users enable two-factor authentication

It has been nearly seven years since Google introduced two-factor authentication for Gmail accounts, but virtually no one is using it. In a presentation at Usenix's Enigma 2018 security conference in California, Google software engineer Grzegorz Milka today revealed that, right now, less than 10 per cent of active Google …

Anonymous Coward

Not Surprised

I wish I could say I was surprised by these figures but, as a network admin who enforces 2FA on all of the systems I manage, so who has to deal with the faux ignorance of users as a result, and given that passwords like 12345678 and Password123! still figure highly in password breach lists, I am, in all honesty not.

There are few good reasons not to use 2FA (and I can't think of any outside of, possibly, some for users with disabilities) and lots of good reasons to use it. My extended network of contacts whose systems I don't manage means that I still speak to people who suffer system breaches that would have been prevented by 2FA but even after suffering a breach, people would rather substitute one bad password that they use on more than one system for another bad password that they use on more than one system and pretend they've solved the problem and that it can't happen again. In circumstances such as that, and in this day and age, it's hard not to think that they deserve all that's coming to them.

10
8
Silver badge

Re: Not Surprised

"I wish I could say I was surprised by these figures but, as a network admin who enforces 2FA on all of the systems I manage"

How did you manage to achieve that? I suspect a lot of enquiring minds would like to know.

4
1
Silver badge
Holmes

Re: Not Surprised

Admin: "Welcome to $company. You have your choice of using an RSA token or smartphone token app to log in. Please set your PIN now."

Sorted.

17
2
Silver badge

@AC Re: Not Surprised

There are few good reasons not to use 2FA (and I can't think of any outside of, possibly, some for users with disabilities)

huh?

If you are disabled and can use a computer, then you can use a phone app to do the 2FA key.

But yeah, I'm one of the 10% who does it on my active gmail accounts.

5
6
Anonymous Coward

Re: @AC Not Surprised

I'm not suggesting disabled users can't use 2FA, just that there *might* be issues that I am unaware of given tech companies still have some way to go with accessibility.

12
1
Silver badge

Re: @AC Not Surprised

If you are disabled and can use a computer, then you can use a phone app to do the 2FA key.

Nonsense. The number of exceptions is vast, even before you bring disabilities into the picture. We have an office with completely stable cabled internet but no cell coverage on anything but O2 (and it isn't reliable) and customers who either can't (underground facility) or won't (compliance) allow external communication that doesn't go through their firewalls (we can log in to our mail server but cell phones stay with security at the gate). 2FA can work with the little calculator gizmos that some banks issue, but anything dependent on cellphones is a non-starter.

34
4
Anonymous Coward

Re: Not Surprised

I too enforce it. Gapps for work. Its in the admin settings.

https://torbjornzetterlund.com/enable-enforcing-2fa-g-suite/

Its a very secure setup and we have several thousand users, happy with Google suite, and no issues with 2FA. all for the fraction of the price of a Microsoft office suite, we get a superb, secure, integrated, use anywhere, office, mail, calendar collaboration suite.... We laugh at organisation that will think it's the 1990s and shop accordingly.

Before some clueless numpty chimes in about Google privacy. Gapps for business and education have their own policies...

https://support.google.com/googlecloud/answer/6056650?hl=en

7
7
Silver badge

Re: Not Surprised

We did it gradually, by convincing departments. After a year all but one team had voluntarily moved over. Then that one team got very publicly phished and they suddenly got the message.

2
0
Flame

Re: Not Surprised

If it's duo, please for the love of god turn off the setting to detect rooted phones. I factory reset two different phones from the graveyard drawer and still couldn't log in because both had their bootloader fuses set. Had to buy myself a fresh phone just for corp login.

4
0
Anonymous Coward

@AC - Re: Not Surprised

Google talk about privacy is like Stalin lecturing on human rights. It's good to know it exists but don't count on it happening.

21
2

Re: Not Surprised

Precisely why I have not gone 2FA on my personal Gmail. Stuffed without phone with signal. I do use a pwdman though

14
7
Anonymous Coward

Re: Not Surprised

> "There are few good reasons not to use 2FA (and I can't think of any outside of, possibly, some for users with disabilities) "

Last time I looked at GMail's 2FA, it wanted to either use a smartphone app, or send me an SMS. First option's out as I don't own a smartphone (which, depending on the age bracket you look at, is not that uncommon - heck, my parents don't even have a mobile phone). Second option didn't work as I didn't get the SMS within 3 hours, and the code timed out, as did the next. Yes, there are ways around these issues (e.g. MS will phone you with an audio code, or you could use an RSA SecureID [although who pays for that may well be a barrier]), but there are some real usability issues with it once you get to the point of "cannot use a phone for this" (even if it is a good idea).

17
4
Anonymous Coward

Re: @AC Not Surprised

That's because you still think the only way to do 2FA is via SMS. Not only is it not the only way, it's the most insecure way.

7
4

Re: Not Surprised

Authenticator app does not rely on having signal. Does needs power and the phone and power obviously.

11
0
Silver badge

Re: Not Surprised

"Last time I looked at GMail's 2FA, it wanted to either use a smartphone app, or send me an SMS. First option's out as I don't own a smartphone"

For starters that makes you very unusual, most people who don't own phones don't own computers either.

Also, there's a Windows app to use if you really don't have access to a smartphone or a tablet.

1
12
Silver badge
FAIL

Re: Not Surprised

Why use 2FA on a system that hands your emails over to anyone who asks?

9
3
Holmes

Re: @AC Not Surprised

I thought Google's 2FA can use a smartphone with wifi?

2
1
Silver badge

Re: Not Surprised

"For starters that makes you very unusual, most people who don't own phones don't own computers either."

Nonsense. Most of my parents' 70 to 80 year old friends have computers, if only for video chat with their grandchildren.

The Saga holidays booking system has 2FA. By SMS, because the "no smartphone" is exactly the demographic they're targeting.

5
0
Anonymous Coward

Re: Not Surprised

And I bet the take-up for 2FA on Saga's system makes Gmail's look massive!

0
0
Anonymous Coward

Re: @AC Not Surprised

All of the major authenticator apps will generate codes while offline, yes.

1
0
Anonymous Coward

Re: Not Surprised

" "I wish I could say I was surprised by these figures but, as a network admin who enforces 2FA on all of the systems I manage"

How did you manage to achieve that? I suspect a lot of enquiring minds would like to know."

Ditto!

you actually get a say in how things are done? that must be awesome! do you own the company?

nobody ever asks my opinion on anything. I sit in the corner of a shared office listening to the fallout of a cavalcade of totally avoidable wreckage spewing past my ears. Its not good for my stress levels just listening to the fucked upped ness that I hear all day, must be worse for those actually having to deal with it . When theyre not doing that , they are doing incredibly labourious data entry jobs that could easliy have been automated. I offered to automate it , but this fell on deaf ears ... " oh were doing that one day ...may as well leave it for now ..."

1
0
Thumb Down

Re: Not Surprised

"There are few good reasons not to use 2FA (and I can't think of any outside of, possibly, some for users with disabilities)"

I have no cell-phone coverage, thus whenever I have to receive one of these code numbers, I must drive a mile or so until I reach a safe place to stop and wait for my 'phone to wake up to the fact that there is now signal and for the SMSC to wake up and forward the text messages it has accumulated for me, and once I have received the code I have to drive back and hope that the process I have started will allow me to carry on from where I left off.

This is tedious.

I do - in fact - have 2FA enabled on my google accounts and I always have to go through the "more options" | use backup codes route; but at least Google provides this option, my ire is directed at the other sites which refuse to acknowledge the possibility of less than 100% coverage for 100% of all networks!

3
1
Silver badge
Flame

Re: @AC Not Surprised

That's still entirely Google's fault.

First there's the fact that my cheapo smartphone doesn't have any room left for yet another app (mostly because Google insist that I keep its own Play-related apps installed and up-to-date even though I never used them, ever, and never will, and also partly because GNURoot Debian is more important to me than pretty much anything else -and nothing of that can be installed on my humongous SD cards because Google's own Android won't allow it without jailbreaking the phone).

And then I only use my Gmail account through IMAP -I only log in my Google accounts when Google forces me to do so because apparently logging in via IMAP from across the street (let alone from abroad) is apparently considered suspicious enough to warrant an account lockdown. Given that my mail apps have, to put it lightly, QUITE decent security features, 2FA would actually decrease both usability and security for me (stealing and unlocking my phone would be a whole lot easier than breaking my accounts from the user side, although of course if The Big G slips and gives access to my account from the inside I'm stuffed, but 2FA can't solve that).

There is of course a bit of stubbornness from my side, too : I couldn't be bothered to keep my smartphone with me at all times to save my life.

The day Google enforces 2FA, I'm gone. I can't be the only one.

Note that I do use 2FA for my banking operations, even though my bank doesn't mandate it. I choose the card-reader password generator, because even though it's a bit more cumbersome it's actually 3FA (webform login, physical card, and NIP). 3.5 FA if you take the card reader into account.

1
0
Anonymous Coward

Re: Not Surprised

I'm really surprised that there would be a question about how I'm able to enforce 2FA on all the systems I administer. @Throatwarbler Mangrove's response summed it up really rather well I felt:-

"

Admin: "Welcome to $company. You have your choice of using an RSA token or smartphone token app to log in. Please set your PIN now."

Sorted.

"

I've done this for the last 3 years with several different companies but to be fair, the largest was only about 120 people. They were in 5 offices in the UK, Hong Kong and China, as well as quite a few home based users though. It wasn't easy but it was easier than fixing a breach caused by the criminally awful passwords users choose, and easier for them to deal with than dealing with me leaving. I always explained the reasons why we were using it and made easy to follow documentation easily available (I even did a video). But the secret sauce had two ingredients: a splash of beligerence (see @Throatware Warbler's reply) and a generous helping of trickery, which was to make it as easy as possible for a few key execs, even if that meant doing everything 2FA related for them so that when people complained to them they couldn't understand what the fuss was about and told people to just do as I said.

1
0
Silver badge

Re: Not Surprised

As a sidenote to my last comment, I should probably mention that our pro mail system is unreachable from outside the local network, and that I host my own mail server for sensitive personnal stuff. My Google accounts are thus only seeing mundane, unimportant material (as they bloody should)

0
0

Re: Not Surprised

I totally agree with this - I did have 2FA on - then my phone signal died. I live in rural Norfolk - its not Google's fault the mobile phone network in rural UK is so bad! When I had a problem in 2016 it was HELL getting back on because i had given a mobile phone number that I could no longer use. There has to be another way?

0
0
Anonymous Coward

What range of options do Google offer for 2FA?

2FA by TXT is just another attack vector (examples below). For instance, can you use a different dedicated 'throwaway' email address instead? Most users don't care maybe, but others don't want to give Google their cell with the all pervasive tracking that leads to. General apathy is another issue. Following the headlines below some users may think, what's the point?!

~

#2FA is akin to adding a second lock to the front door... while leaving the back door open,”

http://www.theregister.co.uk/2015/12/30/krebs_paypal_hack_criticism/

~

The malware can read SMS messages, which means it can also circumvent (two factor authentication) 2FA systems.

http://www.theregister.co.uk/2016/02/15/android_trojan_mazar_bot/

~

Criminals persuade phone providers to divert mobile phone numbers in what is sometimes called "SIM swap fraud".

http://www.bbc.co.uk/news/business-35716872

~

US standards lab says SMS is no good for authentication

https://www.theregister.co.uk/2016/07/24/nist_says_sms_no_good_for_authentication/

~

The US National Institute of Standards and Technology's (NIST) advice that SMS is a poor way to deliver two factor authentication is having little impact

http://www.theregister.co.uk/2016/12/06/2fa_missed_warning/

~

http://www.theregister.co.uk/2016/12/06/2fa_missed_warning/

Two-factor FAIL: Chap gets pwned after 'AT&T falls for hacker tricks'https://www.theregister.co.uk/2017/07/10/att_falls_for_hacker_tricks/

~

25
4
Anonymous Coward

SMS 2FA shouldn't even count as "security"

2FA by TXT is just another attack vector (examples below).

^ ^ ^ this ^ ^ ^

For a proximity attack, defeating SMS 2FA doesn't even require the more esoteric vectors in the other AC's post. Most phones show text messages on the lock screen by default, and most people leave it that way for convenience. Think how many people leave their phone face up on their desk, or on the table at the coffee shop, etc. If an attacker can get brief physical access to the device, s/he can grab the auth code (and possibly even acknowledge or delete the message), leaving no obvious trace. The target will have no idea how they got hacked, because "they did everything they were supposed to."

7
7
FAIL

Re: What range of options do Google offer for 2FA?

Utter nonsense. Its not perfect, but it's still a million times better than not having it at all.

Google also of course offer more secure offerings too. But even 2FA byvSMS is better than FA....

16
12
Silver badge

Re: SMS 2FA shouldn't even count as "security"

I have to call BS on the AC posts.

2FA may use SMS txts. BTW you can set your phone to not show texts on your lock screen....

But you can download DUO or Google's tool for setting up 2FA Then you have to only have your phone handy with you.

6
5
Silver badge

Re: What range of options do Google offer for 2FA?

They offer other options as a preference to SMS - hardware token, voice call, authenticator app, smartphone prompt and there's also 10 backup codes that can be regenerated any time.

Those wary of potential SMS hijacking should be well covered with the other options.

7
1
Anonymous Coward

Re: SMS 2FA shouldn't even count as "security"

The point here is 2FA blocks the common failure point, Somone from Pakistan has guessed your password, but needs to physically find you and get your phone...

That is a pretty huge barrier right there and it makes even SMS 2FA massively more secure than not having it at all..

Anyone saying you shouldn't bother at all, frankly is dangerous.

25
7
Anonymous Coward

Re: SMS 2FA shouldn't even count as "security"

My phone doesn't accept SMS texts. It isn't a "smart" phone. It's difficult to take more than 20' from a wall connection and maintain signal.

10
8
G2

Re: SMS 2FA shouldn't even count as "security"

Google supports FIDO U2F hardware tokens/keys = no more SMSs needed, and if you enable the Advanced Protection Program setting for your Google Account then U2F keys are mandatory for login.

(you will need minimum 2 keys, just in case one of them malfunctions)

https://landing.google.com/advancedprotection/

https://support.google.com/accounts/answer/6103523

when you enable the advanced protection mode Google will even prevent the use of SMS for authentication or account recovery because U2F is then mandatory for all account operations.

3
2

Re: SMS 2FA shouldn't even count as "security"

@AC using a corded landline, you'll find that Digital Dorothy will call you and read the message out to you.

3
0
Silver badge
Headmaster

Re: SMS 2FA shouldn't even count as "security"

If you have a bt landline you actually can receive sms messages. It'll call you and read them out once received. So not as big a problem as you might think.

4
0
Anonymous Coward

Re: SMS 2FA shouldn't even count as "security"

ssshh, that doesn't fit the Google-Hate agenda.

8
3
Silver badge

Re: What range of options do Google offer for 2FA?

"Most users don't care maybe, but others don't want to give Google their cell with the all pervasive tracking that leads to."

If you're using Gmail, it's a bit late to be worrying about giving Google your details.

4
3
Silver badge

Re: SMS 2FA shouldn't even count as "security"

err .. you're suggesting passing the authentication secret over the open phone network in cleartext ?

0
1
Silver badge

Re: @Cuddles

Quite the opposite - I might have several gmail accounts for various different aspects of my life, I don't want to make it trivial for Google to tie them all together by the one phone number, nor to buy multiple disposable phones for 2FA. Also those accounts are of low value to me anyway.

2
1

Re: SMS 2FA shouldn't even count as "security"

@ adrian 4 "you're suggesting passing the authentication secret over the open phone network"

yes, so what - it's a one time secret. If you manage to eavesdrop on that message somehow, how are you then going to enter it into my browser that requested it?

0
0
Silver badge

Of course they don't use it

"Please, if you haven't already done so, just enable two-step authentication. This means when you or someone else tries to log into your account, they need not only your password but authorization from another device, such as your phone."

Sharing my phone number with Google? You serious? Absolutely not, because I simply do not trust them not to abuse my number for "other activities" such as sending me "very important" updates about their commercial partners, in other words: plain out spamming me.

See, and this is also where 2FA becomes somewhat pointless. Because what if you can't use an external device (such as your phone)? Simple: then they'll send you the extra step using other methods. For example a webpage so that you can authenticate yourself twice from the same machine (your computer). So if your computer gets taken over you're still screwed.

Which is another point for concern: session cookies. Generally speaking everyone clicks "remember me" thus allowing themselves to automatically log back in once they revisit the website. Steal all those cookies and...

2FA is nice, but it doesn't solve the main problem.

44
15

Re: Of course they don't use it

It sounds like you're arguing against the need for pool safety fences around pools.

4
12
Anonymous Coward

Re: Of course they don't use it

Sigh, so many cretins here that don't understand basic technology. Just because you use your phone as the 2FA auth, doesn't mean you have to give them your phone number... Also Google don't phone you up with promotions. Have even bothered to read their privacy policy???

Keep flipping the burgers , it's best you stay clear of tech sector jobs, and I would also disconnect from the internet, as it's clear you have trouble distinguishing fact from fiction.

24
35
Silver badge

Re: Of course they don't use it

Plus, giving Google (or any tech company) your mobile number provides them with yet another way to cross-correlate you with other online and offline data that they have gathered.

IMO the only useful 2FA method that addresses the lost-device problem is to use an app like Authy, that allows you to back up your code generator settings and access them on another device. Of course, that means the backup mechanism itself becomes an attack target...

Dang. Security is hard...

21
4
Silver badge

Re: Of course they don't use it

You don't have to give your phone number to Google. I'm with you on not wanting to do that.

So I use the authenticator app. If you don't trust Google's app then there are third party versions. And you can use printed out codes as a backup in case of phone failure.

Doesn't protect you against lost laptop/phone scenarios but does protect against phishing scams.

7
1
Silver badge

Re: Of course they don't use it

"Have even bothered to read their privacy policy?"

"Privacy policies" are only as trustworthy as the people who are issuing them. If someone doesn't trust Google to begin with, nothing in their privacy policy has meaning.

17
3
Silver badge

Re: Of course they don't use it

I was looking at Authy the other day. The idea of being able restore/migrate 2FA generation between devices (rather than having to set each one up again) appealed.

But it's another "free" app so it's not clear how/when they intend to monetise their customer base. And I'm not sure I'm comfortable handing over my multitude of 2FA code generators to them for "free". At least I know what I'm getting into with giving my mobile number to Google.

5
0
Anonymous Coward

Re: Of course they don't use it

You sound like an absolute nutter.

Companies the size of Google, apple and Microsoft have to abide by their privacy policies, the might of EU and US government would crucify them in public if they were not following them.

9
20
Silver badge

Re: Of course they don't use it

Companies the size of Google, apple and Microsoft have to abide by their privacy policies, the might of EU and US government would crucify them in public if they were not following them.

Sure, but whilst their privacy policies say they won't share your number with anyone else, it's what they do with it themselves.

For example all Android devices report the caller ID of phone calls back to Google, who then look it up in the owner's contacts list and build up a handy network of who calls them and who they call. So even if you've not explicitly given them your phone number and your contacts, they'll have it simply because of the likelihood of your having called someone with an Android device who has given them that.

Meanwhile you've no relationship with Google, and they're free to do whatever they like with your number.

In some countries this storing of records without permission to hold them is illegal, but they do it anyway. It's simply too complicated for politicians and regulators to keep up with. Doing little more than targeting ads supposedly more accurately is a way of monetising this without it being too obvious.

15
3

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018