Google has finally admitted something alarming about the world’s one billion regular Gmail users – barely any have turned on two-step verification (2SV) security.
Seven years after 2SV first appeared, take-up is still under 10%, engineer Grzegorz Milka is reported to have told a session at the Enigma 2018 Usenix security conference.
Milka went on to mention a Google-sponsored study from November that analysed how criminals target Gmail, and why these accounts have become so highly prized, a way of saying the company isn’t happy with this status quo.
One could debate whether ‘under 10 percent’ is really that bad – that’s at least tens of millions of accounts after all – but what’s clear is since 2011 Gmail has added a lot of new users without adding a lot of new 2SV users.
The importance of using 2SV (a form of multi-factor authentication or MFA) with Gmail and other sites, has been a running theme on Naked Security for some time. It’s not difficult to set up, it costs nothing and, best of all, it is guaranteed to raise the bar for attackers.
Why, then, aren’t more Gmail users interested?
Milka offered a clue when he was asked why, if it’s such a great idea, Google doesn’t simply make using it mandatory:
It’s about how many people would we drive out if we force them to use additional security.
It seems people have enough trouble coping with passwords that enforcing another security layer through 2SV would break usability.
Google’s caution is understandable but overly pessimistic. The real problem with 2SV isn’t that it’s irksome to use – it isn’t – but that not enough people have heard or it or, if they have, are confused by the myriad ways of using it across different services.
With Gmail, one place to start is by running the ‘Security Check-Up’ in the Google account settings, which tells the user whether they have 2SV turned on or not.
If not, the oldest option to add it is SMS, which sends one-time codes as texts every time a user logs in. A lot of sites, including Google, still offer this but it’s no longer considered secure thanks to attacks such as SIM-swap fraud.
Recently, Google has started pushing users to something called Google Prompt, which verifies logins with a simple yes/no question sent as a push notification to Android and iOS devices through Google’s own software layer.
A more involved but versatile option is to download Google’s Authenticator app, which generates one-time codes without these needing to be sent via a public network at all. Authenticator also works with third-party services such as WordPress, LastPass, and Facebook.
The most secure option of all is to use a hardware token such as the USB-based U2F YubiKey. The drawback is partly cost (around $20), and the fact that smartphones require separate tokens with NFC capability.
Gmail users who believe they are at particular risk of being targeted by criminals can join the Advanced Protection Program (APP), a free service that imposes additional checks when accessing accounts. This is only recommended where the extra hassle can be justified.
See the problem? Too many choices. But better too much of a good thing than to go on avoiding the fact that using an important online service without some form of MFA has become a risk no informed user should take.