We always suggest enabling two-factor authentication to improve the security of our accounts, unfortunately, the suggestion is often ignored.
“Even if someone else gets your password, it won’t be enough to sign in to your account,” states Google’s page on 2FA.
According to Google software engineer Grzegorz Milka, less than 10 percent of its users have enabled two-factor authentication (2FA) for their accounts.
Considering that Google has more than 2 billion monthly active devices, the number of exposed accounts is very huge.
Milka made the disconcerting revelation at the Usenix’s Enigma 2018, two-factor authentication (2FA) implemented by Google allows its users to access the account by providing login credentials along with an authentication code sent to the user via SMS or voice call or generated through the Google mobile app.
This data demonstrates the lack of awareness of cyber threats and the way to mitigate them.
Many users believe that configure and use 2FA for their accounts can make their experience worse.
The Register asked Milka why Google didn’t just make two-factor mandatory across all accounts and received the following answer:
“The answer is usability,” he replied. “It’s about how many people would we drive out if we force them to use additional security.”
Contrary to what you can think, it is very easy to enable 2FA for your account, Google published a step-by-step guide.
The risk of identity theft increases when users share the same credentials among many web services.
Milka also cited a 2016 Pew study saying that only 12 percent of Americans use a password manager.
On the other side, Google is working to improve both the users’experience and security for example to employing machine learning systems that are able to spot suspicious activities related to the accounts under accounts.
For example, usually, when an attacker gets access to an account, he shuts down notification to the legitimate owner and starts exploring the content of the email by searching for passwords, license, and activation codes, cryptocurrency wallet addresses and credentials, intimate photos, and other sensitive documents, including copies of ID cards.
When Google detects one of the above actions immediately triggers mitigation countermeasures.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.