Follow Slashdot stories on Twitter


Forgot your password?
Google Privacy Security

Less Than 1 in 10 Gmail Users Enable Two-Factor Authentication ( 254

It has been nearly seven years since Google introduced two-factor authentication for Gmail accounts, but virtually no one is using it. From a report: In a presentation at Usenix's Enigma 2018 security conference in California, Google software engineer Grzegorz Milka this week revealed that, right now, less than 10 per cent of active Google accounts use two-step authentication to lock down their services. He also said only about 12 per cent of Americans have a password manager to protect their accounts, according to a 2016 Pew study.
This discussion has been archived. No new comments can be posted.

Less Than 1 in 10 Gmail Users Enable Two-Factor Authentication

Comments Filter:
  • No thanks. (Score:4, Insightful)

    by b0s0z0ku ( 752509 ) on Thursday January 18, 2018 @03:26PM (#55954761)

    Not everyone wants to give Google more personal info -- working phone #, alternate email, etc and so forth.

    Also, this doesn't work well with standards-compatible email clients like Thunderbird or K-9.

    • So getting all your email isn't a concern but getting a few minor additional bits of information is? Anyway you can just use their authenticator and print off emergency-use codes, no need to give them additional info.

      Run your own mail server if you're that concerned, it's not very difficult. You could even do it in aws quite cheaply; they will setup reverse DNS for a static (elastic) IP if you fill out a form.

      If that is too insecure, I suggest writing encrypted letters to folks and making sure they have a d

      • So getting all your email isn't a concern

        Here I assume you mean someone ELSE getting my email? Honestly that is less of a concern to me than Google having more information on me, yes.

        That said Google already has my phone number through lots of other means so I',m not sure I care that much. Still have not turned on two-factor because I use secure passwords (yes I know two-factor would still be better). One impediment is having to re-enter passwords across several devices after I switch over.

    • Not everyone wants to give Google more personal info

      How is giving Google your phone number more worrisome than giving Google all of your correspondence?

    • Yeah. Only one factor. Not two factor.

      If there is only one factor then prime factorization won't work because the single factor is prime.
    • by Solandri ( 704621 ) on Thursday January 18, 2018 @04:58PM (#55955553)
      Your 2FA can be via mobile phone (SMS), another email account, the Google Authenticator app (though I'd recommend Authy [] instead), or a pre-generated set of recovery keys you can store on your computer (or write down on a post-it and stick it to your monitor if you wish). The latter two don't require giving up any personal info, and are arguably more secure anyway.
    • Not everyone wants to give Google more personal info -- working phone #, alternate email, etc and so forth.

      I certainly understand (and share) this concern, but that's a problem with having a Google account at all, rather than a problem with enabling 2FA on an existing account, since they don't require any of those details when setting up 2FA. With my current Google account, I gave them the bare minimum during account creation. They don't have any of my phone numbers, they don't have my real name, and the only reason they have an alternate e-mail address for me is because I registered my account using that addres

  • by Linsaran ( 728833 ) on Thursday January 18, 2018 @03:28PM (#55954773) Homepage

    About 3 years ago someone stole roughly 2.45 BTC from me.

    The event was a real wake up call for me security wise. They hacked e-mail address to access a password reset form on coinbase and they used social engineering on my cell phone carrier to forward SMS messages (which I used as 2FA on coinbase) to steal that money from me. Ever since then I've had all my 2FA set up through google authenticator instead and 2FA set up on literally everything I can.

    It was only worth about $700 at the time, but now . . .

    • I'd recommend Authy [] instead of Google Authenticator. It's compatible, but adds a bunch of features like multi-device support, a PC client, and encrypted backup of its database. Most importantly, it simply adds a password. If you have Google Authenticator on your phone and you don't have the lockscreen enabled (or you hand your phone to a friend with it unlocked), anyone who picks up/steals the phone can use your Google Authenticator to login to the accounts it's supposed to be protecting. With Authy, yo
      • I over simplified my above explanation, what I said was technically accurate, but I should mention that they used the hijacked phone account to create an Authy account 'in my name' that Coinbase implicitly trusted even though I had never used Authy with them in the past. I'm not exactly sure why the Authy account was necessary for whatever scheme those assholes were pulling to get into accounts; but the fact that they used it soured me to the service. Not terribly worried about the google auth since I have

  • by Anonymous Coward

    Less Than 1 in 10 Gmail Users Enable Two-Factor Authentication

    Because I refuse to give Google my cell phone number to text me, because there is no way in hell they need to be able to track me even further.

    That's a big old "hard no" there, chief.

    Google's 2FA is as much about them getting more information about you as it is your security.

    • by grub ( 11606 )
      You don't need to give then your phone number, you can use the Google Authenticator app to generate the one time pass on your device.
      • by tepples ( 727027 )

        You don't need to give then your phone number, you can use the Google Authenticator app to generate the one time pass on your device.

        As I wrote in my reply to DontBeAMoran [], you can't set up TOTP until you've set up SMS.

        • by grub ( 11606 )
          That's weird, perhaps new? I never have given them my phone number and have been using 2FA with them since they brought it out. I refuse to use any service that requires my phone number, which precludes me from installing many IM-type apps.
      • by Obfuscant ( 592200 ) on Thursday January 18, 2018 @03:47PM (#55954969)

        You don't need to give then your phone number, you can use the Google Authenticator app to generate the one time pass on your device.

        Yeah! This! You don' t need to give them your phone number, you can let their app do it for you. Easy peasy.

        The summary comments on only 12% of people "securing" their accounts with a password manager. A password manager doesn't secure your account. It stores passwords. If you have one account and can remember your password, you don' t need a password manager.

        A password manager is actually a one-point-of-failure way for a bad guy to get all your passwords.

        • by grub ( 11606 )
          It doesn't even need to be their app if you don't trust google. There are many available available, HOTP & TOTP are well documented.
  • I use my gmail account as a spam dump - you want to send me something that I'm not asking for, you get my gmail account. I suspect many other people use it for that as well. Note that this only assumes accounts using the "gmail" domain and not business accounts that are hosted by Google (and are gmail accounts in all but name).

    Next on the list are kids who wouldn't be savvy enough (or have a credit credit/cell phone), then I don't see them using two factor authentication. Then you have companies that cre

  • Phone number? SMS? (Score:5, Insightful)

    by DontBeAMoran ( 4843879 ) on Thursday January 18, 2018 @03:35PM (#55954845)

    Why is everyone talking about cellphone numbers and SMS?

    Aren't we talking about Google's own Authenticator application?

    • by tepples ( 727027 ) <tepples@gmail.BOHRcom minus physicist> on Thursday January 18, 2018 @03:38PM (#55954885) Homepage Journal

      You are correct that Google publishes a TOTP client called Google Authenticator. But when I installed Google Authenticator, I discovered that Google is unwilling to offer TOTP authentication unless the account holder has already linked a phone on a supported carrier. From "Install Google Authenticator" []:

      To set this up, first you need to complete SMS/Voice setup. Then, follow the directions for your type of device explained below.

      • That's weird, I never had phone service on my old iPhone and their authenticator works fine.

    • by bluefoxlucid ( 723572 ) on Thursday January 18, 2018 @04:32PM (#55955365) Homepage Journal

      You can use a FIDO U2F device, too.

      I have 2FA on. I'm a Congressional Candidate with a technology background; if I got hacked for not taking basic security countermeasures, I'd drop out of the race.

    • It doesn't make any difference if you don't own a mobile.
  • The main reason that I haven't enabled 2-factor on my account is that U.S. cellular carriers charge not only for sent messages but also for received messages. T-Mobile, for example, charges its pay-as-you-go customers 10 cents to send and 10 cents to receive. And no, Google and Twitter don't allow use of a FIDO U2F key or a TOTP client without also having a mobile phone number set up.

    • by murdocj ( 543661 )

      I pay $35/month and that includes unlimited USA talk and text with my limited data. Maybe you need to get another carrier. Or at least another plan.

      • by tepples ( 727027 )

        I pay $35/month and that includes unlimited USA talk and text with my limited data. Maybe you need to get another carrier. Or at least another plan.

        I currently pay $3 per month to T-Mobile and get 30 minutes of USA talk, 30 USA texts, or a combination thereof per month, and zero cellular data. Thus the price difference between my pay-as-you-go plan and your unlimited plan is $32 per month or $384 per year. I'm interested to read a good case for how 2FA would be worth that much to me.

        • by murdocj ( 543661 )

          You said you weren't using two factor auth because you were paying ten cents per text. Which implied that no extra cost for text would be worth it to you.

          • by tepples ( 727027 )

            It'd change from 10 cents for the first text and 10 cents for each additional text to $32 for the first text and 0 cents for each additional text. I'd have to send or receive 320 texts, minutes, or a combination thereof each month in order for that to be a win. Currently I do not.

        • Look into Truphone prepaid SIM.
        • Penny wise and pound foolish I would say....
      • by torkus ( 1133985 )

        Nah, it's just a straw man and proof that someone will always find fault no matter what is done.

      • I pay under $15/month with unlimited voice and text, and 2G LTE+ data, with unlimited throttled data after that.

    • by torkus ( 1133985 )

      Exactly how many times are you going to point out the SMS requirement to set up TOTP in a /. posting?

      SMS also provides a fallback if your auth token goes poof...and if you're a PAYG cell user and want the security then you spend the 10c on an SMS or two.

      BESIDES all already knows your phone number if you use their services. Guaranteed. It's extremely unlikely they haven't parsed it from one of your emails, order receipts, account setup forms, signature lines, etc. already...or that of someone

      • by tepples ( 727027 )

        SMS also provides a fallback if your auth token goes poof...and if you're a PAYG cell user and want the security then you spend the 10c on an SMS or two.

        Is that 10 cents just to set it up, or is it also 10 cents every time I log in?

        • Generally, Google lets you log in and remember the machine logging in for 30 days before re-authenticating. TOTP uses a shared secret, so you already have the data on your device and can enter it in without them sending you anything.
    • The main reason that I haven't enabled 2-factor on my account is that U.S. cellular carriers charge not only for sent messages but also for received messages.

      Planet USA. You know, I am not anti-Trump and I also don't support all the crap the EU Commission is spewing (in fact, fuck the EU Commission - bunch of unelected bureaucrats), but you guys really do things weirdly. No universal healthcare? Not enough competing ISPs so you have some of the highest rates in the western world? Workers can be fired for no reason? And you have to pay for received SMS?? That sounds like crazy stuff to me.

  • by Anonymous Coward on Thursday January 18, 2018 @03:43PM (#55954933)

    I had 2FA enabled, then left my phone in an uber by accident and a subsequent passenger stole it. The emergency 2FA codes I'd printed out didn't work. In order to track and remotely disable my phone, I ended up having to use a computer which I'd thankfully left logged into gmail to disable 2FA for my account (which for some reason it allowed me to do without any 2FA code), after which I could do what needed doing. I haven't re-enabled it since because I realized that losing or breaking my phone is frankly more likely than having my password stolen, and losing my phone with 2FA enabled can be a disaster of its own (even if emergency codes work, what if I don't have them with me? And if I need to carry them with me whenever I stray more than an hour or so from home, that makes it much more likely that the emergency codes themselves could be lost or stolen.) As I learned after that incident, any other services you've tied into Google Authenticator 2FA also become a huge hassle to regain access to, because just installing Google Authenticator on your replacement phone won't cut it.

    • Add some more 2FA options.

      Google allows you to set up a FIDO security token AND the Authenticator app AND one or text/voice numbers AND a set of backup codes, any one of which will get you in. With enough different options, you'll never be locked out.

      I use all of the above. There is a caveat on the text/voice numbers, which is that attackers have been able to hijack cell numbers, so consider that carefully... but if you also have a good password you've significantly raised the bar for anyone to hijack y

    • by ugen ( 93902 )

      And don't forget that there is no way to transfer authentication credentials from one device to another (as I just found out). So, if you have to change a phone, you will need to visit every single service that is using Google Authenticator and reconfigure it to use a new device, from the beginning.

      Also - it appears to only allow a single authenticator at a time. I like my phone, but I am not quite that married to it and I do need to access various services sometimes where my phone is not available or not

      • And don't forget that there is no way to transfer authentication credentials from one device to another (as I just found out).

        Just enter the same seed and you'll get the same codes.

    • Isn't this just a case of using multiple methods to 2fa? I've taken some care in this regard, down to in some cases recovery codes on a thumb drive. I've bricked a notebook and changed sims (which is harsher than a lost phone) and recovered completely in both instances.

  • by stereoroid ( 234317 ) on Thursday January 18, 2018 @03:49PM (#55954983) Homepage Journal


  • by Anonymous Coward

    Everyone thinks their secret box is more important than their neighbor's secret box.

    Guess what, all your emails are boring! I've been an SA since the 1990s and root on thousands of Unix servers dating back to SunOS-4, and no one has anything interesting in their emails.

    Stop inflating your egos by thinking everyone is after your special sauce. Unless you're connected to a politician or celebrity, no one gives the fattest rats posterior what you gotta say or what you're sending plaintext.

  • is to remind my girlfriend to buy dogfood when we're out. Good luck to anyone who steals access.
    • by Ksevio ( 865461 )
      Well guess what? I'm going to hack your email and you'll be getting dogfood WHEN YOU STILL HAVE SOME! AHAHAHAHA
  • If you're using Google Apps on a domain with a delegated SSO, MFA may not be an option for you.
  • I hope they realize that some of us use many of these accounts with non-standard, human-less devices that aren't PCs, tablets, nor cellular phones.
  • The 2FA at my employer uses a text message to give me a code that I can then use to VPN in. That's great. Except when my phone doesn't get reception. Or when I'm working in a room where carrying wireless devices isn't permitted. Or if I forget to bring my phone with me. Security isn't for free.
  • If you are using a random unique password per site, then the additional protection offered by 2FA is effectively zero.

    With a password that is not re-used, there are two possible attacks (1) phishing, (2) malware. If you are tricked into entering your password on a phishing site then you will almost certainly be tricked into entering your 2FA. If you have malware it can jack your session anyway.

  • by juancn ( 596002 ) on Thursday January 18, 2018 @04:24PM (#55955293) Homepage
    Passwords are bad, but are a lot less annoying than passwords plus 2FA. The loss of the second factor is basically a nightmare, and each service wants you to use their own app or whatever. Even changing phones becomes a hassle. I get it for an enterprise environment, where in an emergency, you can call your local IT guy an get them to reset it for you, but if something goes wrong with Google you're screwed. You can't even pay to talk to someone to get it fixed.
  • This is a moot point if you buy your own email. If somebody gets your password, change it yourself. Or, enable 2 factor authorization, and don't give Google your cell phone number. Email costs $2/month.
  • The way I see it, it's not a question of what information you do or do not give Google. If you choose to use their service, then you're agreeing to their terms, and part of those terms is the information they collect. Don't like it? Find another email provider who doesn't collect any infomation. If you're really serious about security, open your wallet and get your own email through a private provider, or stand up your own server that you can secure however you want and thus can be assured your data is
  • Since I cannot have a cellphone in the office, no 2FA for gmail for me.
  • The concept is great, but if I accidentally left my phone at home, I'm locked out of my email.

  • For some reason not all the authentication SMS comes through in my T-Mobile phone. Some banks and brokerages send the authentication from a five digit cell phone number, and t-mobile filters them out based on some seemingly random algorithm.

    So I switched them all to Google Phone number. In my google phone account I set up the SMS to echo to gmail. The gmail account also uses 2FA but these are my desktops at home and work, and one chromebook at home. So even if I lose my phone, I have my desktops to get the

  • I tried Google's two factor for about six months. It was a PITA! The app would randomly stop working and when I was on another device It would make me jump through nigh infinite hoops to log me in. If the pain exceeds the user''s threshold they aren't going to use it unless they have to. I turned it off and have never tried it since. Most users have less patience than I do so 1 in 10 sounds about right.
  • 2FA has made me stop using my Google account. I previously used it for some Google groups. But now when I get an email saying that there is a new message there, I click the link to read it, and then give-up because I have to do some process that involves a text message and entering in a code. At that point I just close the window and forget about it. There are better forums out there that don't require such nonsense. I don't even know how they got my phone number in the first place - probably because I

  • Like Apple's, etc.?

  • by OneHundredAndTen ( 1523865 ) on Thursday January 18, 2018 @06:05PM (#55956053)
    For, who uses gmail for anything serious?
  • by bytestorm ( 1296659 ) on Friday January 19, 2018 @11:04AM (#55960165)
    I started using 2FA recently, before that unique passwords & pw manager. I've never been bitten by security problems, but I'm relatively low profile.

    Working with u2f (yubikey) and totp (google authenticator) has been a bit annoying. Most sites don't support u2f, or even 2FA in general. The ones I want to have 2FA, like my bank, do not or they implement it through sms/email. Some sites, like Facebook, have issues with multiple u2f tokens (ie. second and subsequent tokens do not work). It requires extra effort to get gmail working in external clients with saved device trust instead of 2FA as well.

    Actually using u2f has been nice though, even with chrome on android via nfc. Once things are set up on a site, it's very reliable.

1 1 was a race-horse, 2 2 was 1 2. When 1 1 1 1 race, 2 2 1 1 2.