Less Than 1 in 10 Gmail Users Enable Two-Factor Authentication (theregister.co.uk) 254
It has been nearly seven years since Google introduced two-factor authentication for Gmail accounts, but virtually no one is using it. From a report: In a presentation at Usenix's Enigma 2018 security conference in California, Google software engineer Grzegorz Milka this week revealed that, right now, less than 10 per cent of active Google accounts use two-step authentication to lock down their services. He also said only about 12 per cent of Americans have a password manager to protect their accounts, according to a 2016 Pew study.
No thanks. (Score:4, Insightful)
Not everyone wants to give Google more personal info -- working phone #, alternate email, etc and so forth.
Also, this doesn't work well with standards-compatible email clients like Thunderbird or K-9.
Re: (Score:2)
So getting all your email isn't a concern but getting a few minor additional bits of information is? Anyway you can just use their authenticator and print off emergency-use codes, no need to give them additional info.
Run your own mail server if you're that concerned, it's not very difficult. You could even do it in aws quite cheaply; they will setup reverse DNS for a static (elastic) IP if you fill out a form.
If that is too insecure, I suggest writing encrypted letters to folks and making sure they have a d
Does not follow (Score:2)
So getting all your email isn't a concern
Here I assume you mean someone ELSE getting my email? Honestly that is less of a concern to me than Google having more information on me, yes.
That said Google already has my phone number through lots of other means so I',m not sure I care that much. Still have not turned on two-factor because I use secure passwords (yes I know two-factor would still be better). One impediment is having to re-enter passwords across several devices after I switch over.
Re: (Score:3)
Not everyone wants to give Google more personal info
How is giving Google your phone number more worrisome than giving Google all of your correspondence?
Re: (Score:2)
If there is only one factor then prime factorization won't work because the single factor is prime.
Don't need to give them more info (Score:5, Informative)
Re: (Score:2)
Not everyone wants to give Google more personal info -- working phone #, alternate email, etc and so forth.
I certainly understand (and share) this concern, but that's a problem with having a Google account at all, rather than a problem with enabling 2FA on an existing account, since they don't require any of those details when setting up 2FA. With my current Google account, I gave them the bare minimum during account creation. They don't have any of my phone numbers, they don't have my real name, and the only reason they have an alternate e-mail address for me is because I registered my account using that addres
Re: (Score:2)
Re: (Score:2)
One thing to be very aware of with Google Authenticator is that if you move phone, you have to be very careful or all your auth will remain tied to the old phone. People have complained about this and it can be a very serious problem for you.
Other apps allow you to migrate your registered auth to new devices. Authy is much better, and provides you with a sync option.
Re: (Score:2)
not entirely true, you can just go to the 2fa web site and login without needing 2fa and turn it off, then back on. it will require a reenroll.. but hey, at least there is a security flaw to exploit when yer hosed, and only when yer.. wait...
Re: (Score:3)
More to the point, Google already knows your real name, address, phone numbers, sexual preferences (even ones you've never told anybody), shopping habits, travel behaviors and more than I can imagine. So, what difference does it make? Either don't use their service because you don't like the company's behavior (not going to change what they know about you, in this case), or use it to it's fullest potential and get over yourself.
Needed it to protect my Bitcoin (Score:5, Informative)
About 3 years ago someone stole roughly 2.45 BTC from me.
The event was a real wake up call for me security wise. They hacked e-mail address to access a password reset form on coinbase and they used social engineering on my cell phone carrier to forward SMS messages (which I used as 2FA on coinbase) to steal that money from me. Ever since then I've had all my 2FA set up through google authenticator instead and 2FA set up on literally everything I can.
It was only worth about $700 at the time, but now . . .
Re: (Score:3)
Re: (Score:3)
I over simplified my above explanation, what I said was technically accurate, but I should mention that they used the hijacked phone account to create an Authy account 'in my name' that Coinbase implicitly trusted even though I had never used Authy with them in the past. I'm not exactly sure why the Authy account was necessary for whatever scheme those assholes were pulling to get into accounts; but the fact that they used it soured me to the service. Not terribly worried about the google auth since I have
For obvious reasons ... (Score:2, Interesting)
Because I refuse to give Google my cell phone number to text me, because there is no way in hell they need to be able to track me even further.
That's a big old "hard no" there, chief.
Google's 2FA is as much about them getting more information about you as it is your security.
Re: (Score:3)
Re: (Score:3)
You don't need to give then your phone number, you can use the Google Authenticator app to generate the one time pass on your device.
As I wrote in my reply to DontBeAMoran [slashdot.org], you can't set up TOTP until you've set up SMS.
Re: (Score:2)
Re:For obvious reasons ... (Score:5, Insightful)
You don't need to give then your phone number, you can use the Google Authenticator app to generate the one time pass on your device.
Yeah! This! You don' t need to give them your phone number, you can let their app do it for you. Easy peasy.
The summary comments on only 12% of people "securing" their accounts with a password manager. A password manager doesn't secure your account. It stores passwords. If you have one account and can remember your password, you don' t need a password manager.
A password manager is actually a one-point-of-failure way for a bad guy to get all your passwords.
Re: (Score:2)
Re:For obvious reasons ... (Score:5, Informative)
You don't need to give then your phone number, you can use the Google Authenticator app to generate the one time pass on your device.
This app requires the following permissions:
Access to your phone book
Access to storage devices
Access to your camera
Access to your microphone
Access to your call records
Access to your photos
Ability to send SMS
Ability to make calls
Access to device identifiers
Access to Internet
Access to Wifi
It does not. I don't know if you're deliberately lying or looking at something else but the above is simply false.
Per the info on Google Play, the Google Authenticator app requires:
Camera
- take pictures and videos
Other
- create accounts and set passwords
- full network access
- control Near Field Communication
- use accounts on the device
- control vibration
Camera is used to grab QR codes. That's the mechanism by which Authenticator is generally configured. I'm not sure what "create accounts and set passwords" means. It has network access to check time. It uses NFC to deliver authentication codes via NFC. It "uses accounts on the device" to see what accounts you have that you might want to set up authentication for. It controls vibration to, well, vibrate.
Sounds reasonable (Score:2)
I use my gmail account as a spam dump - you want to send me something that I'm not asking for, you get my gmail account. I suspect many other people use it for that as well. Note that this only assumes accounts using the "gmail" domain and not business accounts that are hosted by Google (and are gmail accounts in all but name).
Next on the list are kids who wouldn't be savvy enough (or have a credit credit/cell phone), then I don't see them using two factor authentication. Then you have companies that cre
Phone number? SMS? (Score:5, Insightful)
Why is everyone talking about cellphone numbers and SMS?
Aren't we talking about Google's own Authenticator application?
Must use SMS to set up TOTP (Score:4, Informative)
You are correct that Google publishes a TOTP client called Google Authenticator. But when I installed Google Authenticator, I discovered that Google is unwilling to offer TOTP authentication unless the account holder has already linked a phone on a supported carrier. From "Install Google Authenticator" [google.com]:
Re: (Score:2)
That's weird, I never had phone service on my old iPhone and their authenticator works fine.
Re: (Score:3)
When I had to re-set up Google Authenticator for my Google account last February (due to my prior phone bricking itself), I was forced by Google to give them my phone number for an SMS message / voice call in order to set up the authenticator app.
Re:Phone number? SMS? (Score:4, Insightful)
You can use a FIDO U2F device, too.
I have 2FA on. I'm a Congressional Candidate with a technology background; if I got hacked for not taking basic security countermeasures, I'd drop out of the race.
Re: (Score:3)
I have no idea what a Google Authenticator App is, let alone how it works, or what FIDO is or U2F. None of those things make sense, so why in the world would I ever use them?
"Do a search" the lazy nerd would say.
I'm a lazy nerd and that's not what I would say. I would say: "Go to myaccount.google.com and click on 'Signing in to Google'. It explains all of the options."
No mobile (Score:2)
Re: (Score:2)
Re: (Score:2)
I've got about six websites linked to it, never had a phone number/phone service on my old iPhone. That's how far I got.
Cost per received message (Score:3)
The main reason that I haven't enabled 2-factor on my account is that U.S. cellular carriers charge not only for sent messages but also for received messages. T-Mobile, for example, charges its pay-as-you-go customers 10 cents to send and 10 cents to receive. And no, Google and Twitter don't allow use of a FIDO U2F key or a TOTP client without also having a mobile phone number set up.
Re: (Score:2)
I pay $35/month and that includes unlimited USA talk and text with my limited data. Maybe you need to get another carrier. Or at least another plan.
Re: (Score:3)
I pay $35/month and that includes unlimited USA talk and text with my limited data. Maybe you need to get another carrier. Or at least another plan.
I currently pay $3 per month to T-Mobile and get 30 minutes of USA talk, 30 USA texts, or a combination thereof per month, and zero cellular data. Thus the price difference between my pay-as-you-go plan and your unlimited plan is $32 per month or $384 per year. I'm interested to read a good case for how 2FA would be worth that much to me.
Re: (Score:2)
You said you weren't using two factor auth because you were paying ten cents per text. Which implied that no extra cost for text would be worth it to you.
Re: (Score:2)
It'd change from 10 cents for the first text and 10 cents for each additional text to $32 for the first text and 0 cents for each additional text. I'd have to send or receive 320 texts, minutes, or a combination thereof each month in order for that to be a win. Currently I do not.
Re: (Score:2)
Re: (Score:2)
No more "waste of resources" than an iPod (Score:2)
[A pay-as-you-go plan] is cheap, but effectively worthless for anything other than a rare quick phone call or text message
I use it for exactly that. Longer voice calls wait until I arrive at home, where we have a phone on a different plan with unlimited minutes and zero texts. Longer text conversations wait until I arrive at home or at a hotspot, where I use Internet-based text chat or email.
and if it's actually a smartphone, then it's a waste of resources altogether.
I disagree. Even without cellular data, my Android phone is no more "a waste of resources" than an iPod touch. On this 5-inch tablet, I can still access locally stored information anywhere and connect to the Internet at any hotspot.
If you carry a device for emergencies only
I carry
Re: (Score:2)
Nah, it's just a straw man and proof that someone will always find fault no matter what is done.
Re: (Score:2)
I pay under $15/month with unlimited voice and text, and 2G LTE+ data, with unlimited throttled data after that.
Re: (Score:3)
Exactly how many times are you going to point out the SMS requirement to set up TOTP in a /. posting?
SMS also provides a fallback if your auth token goes poof...and if you're a PAYG cell user and want the security then you spend the 10c on an SMS or two.
BESIDES all that...google already knows your phone number if you use their services. Guaranteed. It's extremely unlikely they haven't parsed it from one of your emails, order receipts, account setup forms, signature lines, etc. already...or that of someone
Re: (Score:2)
SMS also provides a fallback if your auth token goes poof...and if you're a PAYG cell user and want the security then you spend the 10c on an SMS or two.
Is that 10 cents just to set it up, or is it also 10 cents every time I log in?
Re: (Score:2)
Re: (Score:2)
Fun fact: Gmail didn't always require you to provide a phone number to use their service.
Exactly right. I never did give them my phone number 'way back' and was surprised reading all these comments that say they now require it.
Re: (Score:2)
The main reason that I haven't enabled 2-factor on my account is that U.S. cellular carriers charge not only for sent messages but also for received messages.
Planet USA. You know, I am not anti-Trump and I also don't support all the crap the EU Commission is spewing (in fact, fuck the EU Commission - bunch of unelected bureaucrats), but you guys really do things weirdly. No universal healthcare? Not enough competing ISPs so you have some of the highest rates in the western world? Workers can be fired for no reason? And you have to pay for received SMS?? That sounds like crazy stuff to me.
Removing mobile number also removes TOTP (Score:2)
You have to add a mobile number to set up FIDO U2F key or a TOTP client but you can just remove it right after. IDK why they do it that way.
Last I checked, removing your mobile number from your account had the side effect of also removing FIDO U2F or TOTP from your account. At least Twitter does that. From "Twitter's 2-factor authentication has a serious problem" by Jack Morse [mashable.com]:
Does Google also disable TOTP access after you have removed your phone number?
Re: (Score:2)
Who the hell pays for texts in 2018?
Someone who cut his phone bill by over a hundred dollars a year by downgrading from an unlimited plan to a pay-as-you-go plan.
I used to, then stopped (Score:5, Interesting)
I had 2FA enabled, then left my phone in an uber by accident and a subsequent passenger stole it. The emergency 2FA codes I'd printed out didn't work. In order to track and remotely disable my phone, I ended up having to use a computer which I'd thankfully left logged into gmail to disable 2FA for my account (which for some reason it allowed me to do without any 2FA code), after which I could do what needed doing. I haven't re-enabled it since because I realized that losing or breaking my phone is frankly more likely than having my password stolen, and losing my phone with 2FA enabled can be a disaster of its own (even if emergency codes work, what if I don't have them with me? And if I need to carry them with me whenever I stray more than an hour or so from home, that makes it much more likely that the emergency codes themselves could be lost or stolen.) As I learned after that incident, any other services you've tied into Google Authenticator 2FA also become a huge hassle to regain access to, because just installing Google Authenticator on your replacement phone won't cut it.
Re: (Score:3)
Add some more 2FA options.
Google allows you to set up a FIDO security token AND the Authenticator app AND one or text/voice numbers AND a set of backup codes, any one of which will get you in. With enough different options, you'll never be locked out.
I use all of the above. There is a caveat on the text/voice numbers, which is that attackers have been able to hijack cell numbers, so consider that carefully... but if you also have a good password you've significantly raised the bar for anyone to hijack y
Re: (Score:2)
And don't forget that there is no way to transfer authentication credentials from one device to another (as I just found out). So, if you have to change a phone, you will need to visit every single service that is using Google Authenticator and reconfigure it to use a new device, from the beginning.
Also - it appears to only allow a single authenticator at a time. I like my phone, but I am not quite that married to it and I do need to access various services sometimes where my phone is not available or not
Re: (Score:2)
And don't forget that there is no way to transfer authentication credentials from one device to another (as I just found out).
Just enter the same seed and you'll get the same codes.
Re: (Score:2)
Isn't this just a case of using multiple methods to 2fa? I've taken some care in this regard, down to in some cases recovery codes on a thumb drive. I've bricked a notebook and changed sims (which is harsher than a lost phone) and recovered completely in both instances.
obligatory Game of Thrones callback (Score:4, Informative)
"Fewer."
Everyone Leads a Boring Life (Score:2, Interesting)
Everyone thinks their secret box is more important than their neighbor's secret box.
Guess what, all your emails are boring! I've been an SA since the 1990s and root on thousands of Unix servers dating back to SunOS-4, and no one has anything interesting in their emails.
Stop inflating your egos by thinking everyone is after your special sauce. Unless you're connected to a politician or celebrity, no one gives the fattest rats posterior what you gotta say or what you're sending plaintext.
My primary use of email (Score:2)
Re: (Score:3)
Depends on your organization (Score:2)
Re: (Score:2)
Non-standard Devices (Score:2)
2FA is too fragile (Score:2)
2FA Offers Limited Additional Security (Score:2)
If you are using a random unique password per site, then the additional protection offered by 2FA is effectively zero.
With a password that is not re-used, there are two possible attacks (1) phishing, (2) malware. If you are tricked into entering your password on a phishing site then you will almost certainly be tricked into entering your 2FA. If you have malware it can jack your session anyway.
2FA usability sucks (Score:3)
Buy your own email (Score:2)
It's all about protecting your stuff (Score:2)
No cellphone access, no 2FA (Score:2)
I Don't Always Have My Phone Handy (Score:3)
The concept is great, but if I accidentally left my phone at home, I'm locked out of my email.
I use Gphone for 2FA (Score:2)
So I switched them all to Google Phone number. In my google phone account I set up the SMS to echo to gmail. The gmail account also uses 2FA but these are my desktops at home and work, and one chromebook at home. So even if I lose my phone, I have my desktops to get the
Used it, hated it (Score:2)
2FA is a PITA (Score:2)
2FA has made me stop using my Google account. I previously used it for some Google groups. But now when I get an email saying that there is a new message there, I click the link to read it, and then give-up because I have to do some process that involves a text message and entering in a code. At that point I just close the window and forget about it. There are better forums out there that don't require such nonsense. I don't even know how they got my phone number in the first place - probably because I
What about other services? (Score:2)
Like Apple's, etc.?
Indeed (Score:3)
fido u2f has low adoption, but is convenient. (Score:3)
Working with u2f (yubikey) and totp (google authenticator) has been a bit annoying. Most sites don't support u2f, or even 2FA in general. The ones I want to have 2FA, like my bank, do not or they implement it through sms/email. Some sites, like Facebook, have issues with multiple u2f tokens (ie. second and subsequent tokens do not work). It requires extra effort to get gmail working in external clients with saved device trust instead of 2FA as well.
Actually using u2f has been nice though, even with chrome on android via nfc. Once things are set up on a site, it's very reliable.
Re: (Score:2)
It's a fucking pain in the ass to use, and if you're into security, you're not using gmail...
A problem is that software providers have taught users that authentication and authorization is the same thing, when they're not.
Users expect a single operation.
This is unlike real life, where people seem to have less problems distinguishing the two. If you go to the bank and fill out a withdrawal slip, you authorize it with your signature, but need to show an ID to authenticate yourself. The two tasks aren't combined.
Biometrics and RSA key generators = authentication
Passwords = authorization
Programs incl
Re: (Score:2)
No, passwords are authorization. It's something you know, and which can only be given with your approval.
Biometrics and RSA keys are something you are or have, and thus authentication. It's something that can be given without your approval.
Clicking "OK" when authenticated does not imply authorization, although that's how most systems are designed. It's wrong, wrong, wrong.
The problem is that we are too lazy to give authorization, and bind the two together as if they were the same thing. They aren't, an
Re: (Score:2)
I use the SirPwnAlot password manager. It comes with the SirPwnAlot browser toolbar which is free. In fact you may already have installed it - it's bundled with a lot of software.
Re: (Score:2)
So far I don't trust any of the password managers available for mobile. Better to keep it all in my head.
Exactly my thinking. With a password manager they only need to get past one password to know everything. Not just what all your passwords are, but all the websites you have passwords for.
Re: (Score:2)
With a password manager they only need to get past one password to know everything.
If you decide to put all your eggs in one basket, WATCH THAT BASKET!
Re: (Score:2)
Not so, they need to get past a password *and a key file*. Keepass stores it all locally, and (optionally) requires a file to decrypt as well as password.
Can be awkward putting your keyfile somewhere secure and fetching it on mobile (unlike a PC where you can keep it on a USB drive that you remove when not using it) but it can be done if you're paranoid by storing it on the cloud or remote location, or even just obfuscating it by using an ordinary file such as a picture or music mp3 as the keyfile.
If everyt
Re: (Score:3)
My keyfile is the a specific string of text (with no returns to avoid the /n/r and /n text file differences between Windows and *nix). That way I can't lose it unless I forget that string of text, and I can easily remake it if need be from any text editor.
Re: (Score:2)
Pro tip: 2fa on the password manager.
Re: (Score:2)
It is about shifting security risks around. Using the same (or a similar) password on multiple sites versus a PW manager allowing for more secure entries per site.
In the past, I just did a MD5 of my master password and the site name and used that, but with the varying length, character, and other requirements sites have, that isn't as feasible as it used to be.
The question is... is the risk of the master password being lost greater than someone figuring out that you use a similar PW on a bunch of sites to
Re: (Score:2)
With a password manager they only need to get past one password to know everything. Not just what all your passwords are, but all the websites you have passwords for.
But they would also need access to the password store file, which should only be on your computer. The main advantage of a password manager is that you can have different, complex passwords for each site, so that if one of those sites has a data breach (which you'd be assuming is more likely than having your personal computer compromised), the attackers don't get your password to a bunch of other sites.
Re: (Score:2)
Re: (Score:2)
You can only behead them once. if that is what is mint by losing your head.
Re: (Score:2)
That's a lot considering how many email boxes they have.
Yeah... I have about a dozen gmail accounts. They all forward to one of my two master-gmail accounts. THOSE are locked down with 2-factor authentication. The others are just junk e-mail accounts that I don't care if they get hacked. I don't bother with those. I don't know how many people are like me and have multiple dummy e-mail accounts per real account, but I suspect it's a lot. I also suspect people care a lot less about the security on their dummy e-mail accounts.
Most e-mail accounts are probably
Re: (Score:2)
You might want to look up what TOTP actually stands for. Hint: the first word is Time.
You can configure as many devices with the same seed as you like. Your wife simply needed to turn her phone back on and give it a moment to sync time with the cell network.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
"2FA isn't secure if it only relies on a phone number as a substitute for cryptography. A single call to the outsourced customer service department of your phone company could transfer your number to the sim card of a malicious actor."
So now it requires they know your phone number, and dedicate up to an hour or so of human time, of a human capable of social engineering a telco rep...to transfer a sim. They'll do that for a specific high value target, but not some rando.
Plus, without 2FA, i've already pwned
Re: (Score:2)
Those numbers are completely absurd. Chrome + Safari alone is 70% of the browser market, and those both have built-in password managers.
So 58% of computer users don't know that they're already using a password manager.
Really?
Re: (Score:2)
Just because my browser has a built-in password manager, doesn't mean I use it. I use Keepass instead, and I have no idea how Google would know that, so I wonder what the basis for their statistic is.
Re: (Score:3)
Just because my browser has a built-in password manager, doesn't mean I use it. I use Keepass instead
You aren't using it because you are already using something else. But for 90% of the public, if a popup asks "Do you want Chrome to remember this password?", they are going to think "Sure, why not?". But if someone later asks them "Are you using a password manager?", they will say "No", because they don't even know what that is.
Re: (Score:3)
Anyone clicking "Yes" on a "Remember the password for this Site?" prompt in Chrome, Firefox or Safari is a complete moron. Why would anyone trust Apple, Google or Mozilla with the Keys To Their Kingdom? I might have trusted Mozilla with them a decade ago, but not any more.
If you use your gmail account as the primary account on all of your other sites, you are trusting Google with the Keys to Your Kingdom. Substitute whatever email service provider you use, because anyone who controls your email can almost certainly reset the password on any other account you have, unless that other account has some 2FA of its own. Security questions are weak in general, but even weaker against someone who has all your email and can mine it for answers.
Also... you're apparently saying that
Re: (Score:2)
My /. password hardly constitutes a kingdom. Honestly, I don't give a crap if Google has it. And neither does Google.
Re: (Score:2)
Just because my browser has a built-in password manager, doesn't mean I use it. I use Keepass instead, and I have no idea how Google would know that, so I wonder what the basis for their statistic is.
So Chrome doesn't necessarily use it's *built-in* password manager either. If the system provides one (e.g GNOME, KDE) then it will automatically use that; you can also configure it to use another one. I believe there are LastPass and KeePass extensions for Chrome to use them instead of the built-in supported ones too.
Re: (Score:2)
Those numbers are completely absurd. Chrome + Safari alone is 70% of the browser market, and those both have built-in password managers.
So 58% of computer users don't know that they're already using a password manager.
Really?
TFA isn't talking about Password Managers but about 2-Factor Auth which is entirely different from using a Password Manager. A Password Manager is only good for storing one of the two factors; the second factor is dynamic and comes via YubiKey, soft-key (GAuthenticator), SMS/TXT, etc.
Re: (Score:3)
The "second factor" in most cases can absolutely be put into something like KeePass if you have the plugins to work with it. It's just a seed you jam into a hashing algorithm along with the current time.
The only ones you need a third party for are those which are unknown to you (an awful idea). For example, a site sending you a one-time code (randomly generated, hopefully) via text or email. That's not 2 factor, that's 2 channel. (And SMS is a joke in terms of security, and email just verifies the perso
Re:Yes! (Score:5, Funny)
Re: (Score:2)