We always suggest enabling two-factor authentication to improve the security of our accounts, unfortunately, the suggestion is often ignored.
“Even if someone else gets your password, it won’t be enough to sign in to your account,” states Google’s page on 2FA.
According to Google software engineer Grzegorz Milka, less than 10 percent of its users have enabled two-factor authentication (2FA) for their accounts.
Considering that Google has more than 2 billion monthly active devices, the number of exposed accounts is very huge.
Milka made the disconcerting revelation at the Usenix’s Enigma 2018, two-factor authentication (2FA) implemented by Google allows its users to access the account by providing login credentials along with an authentication code sent to the user via SMS or voice call or generated through the Google mobile app.
This data demonstrates the lack of awareness of cyber threats and the way to mitigate them.
Many users believe that configure and use 2FA for their accounts can make their experience worse.
The Register asked Milka why Google didn’t just make two-factor mandatory across all accounts and received the following answer:
“The answer is usability,” he replied. “It’s about how many people would we drive out if we force them to use additional security.”
Contrary to what you can think, it is very easy to enable 2FA for your account, Google published a step-by-step guide.
The risk of identity theft increases when users share the same credentials among many web services.
Milka also cited a 2016 Pew study saying that only 12 percent of Americans use a password manager.
On the other side, Google is working to improve both the users’experience and security for example to employing machine learning systems that are able to spot suspicious activities related to the accounts under accounts.
For example, usually, when an attacker gets access to an account, he shuts down notification to the legitimate owner and starts exploring the content of the email by searching for passwords, license, and activation codes, cryptocurrency wallet addresses and credentials, intimate photos, and other sensitive documents, including copies of ID cards.
When Google detects one of the above actions immediately triggers mitigation countermeasures.
(Security Affairs – two-factor authentication, Gmail)