Google has finally admitted something alarming about the world’s one billion regular Gmail users – barely any have turned on two-step verification (2SV) security.
Seven years after 2SV first appeared, take-up is still under 10%, engineer Grzegorz Milka is reported to have told a session at the Enigma 2018 Usenix security conference.
Milka went on to mention a Google-sponsored study from November that analysed how criminals target Gmail, and why these accounts have become so highly prized, a way of saying the company isn’t happy with this status quo.
One could debate whether ‘under 10 percent’ is really that bad – that’s at least tens of millions of accounts after all – but what’s clear is since 2011 Gmail has added a lot of new users without adding a lot of new 2SV users.
The importance of using 2SV (a form of multi-factor authentication or MFA) with Gmail and other sites, has been a running theme on Naked Security for some time. It’s not difficult to set up, it costs nothing and, best of all, it is guaranteed to raise the bar for attackers.
Why, then, aren’t more Gmail users interested?
Milka offered a clue when he was asked why, if it’s such a great idea, Google doesn’t simply make using it mandatory:
It’s about how many people would we drive out if we force them to use additional security.
It seems people have enough trouble coping with passwords that enforcing another security layer through 2SV would break usability.
Google’s caution is understandable but overly pessimistic. The real problem with 2SV isn’t that it’s irksome to use – it isn’t – but that not enough people have heard or it or, if they have, are confused by the myriad ways of using it across different services.
With Gmail, one place to start is by running the ‘Security Check-Up’ in the Google account settings, which tells the user whether they have 2SV turned on or not.
If not, the oldest option to add it is SMS, which sends one-time codes as texts every time a user logs in. A lot of sites, including Google, still offer this but it’s no longer considered secure thanks to attacks such as SIM-swap fraud.
Recently, Google has started pushing users to something called Google Prompt, which verifies logins with a simple yes/no question sent as a push notification to Android and iOS devices through Google’s own software layer.
A more involved but versatile option is to download Google’s Authenticator app, which generates one-time codes without these needing to be sent via a public network at all. Authenticator also works with third-party services such as WordPress, LastPass, and Facebook.
The most secure option of all is to use a hardware token such as the USB-based U2F YubiKey. The drawback is partly cost (around $20), and the fact that smartphones require separate tokens with NFC capability.
Gmail users who believe they are at particular risk of being targeted by criminals can join the Advanced Protection Program (APP), a free service that imposes additional checks when accessing accounts. This is only recommended where the extra hassle can be justified.
See the problem? Too many choices. But better too much of a good thing than to go on avoiding the fact that using an important online service without some form of MFA has become a risk no informed user should take.
some guy
Still waiting on Google to recognize U2F support in Firefox… until then, my Yubikey is useless for email security.
Ajit Pai
Spoof your user-agent to make Google think you’re using Chrome.
Mahhn
yeah,,,, so when 2fa is using the same device you access Email on, it just seams dumb.
Example, you Unlock your phone, open Email, easy. (I consider this 2fa since you must have the phone, unlock the phone, and if you want 3fa; make it so you have to log into the email also)
With google’s 2fa, you unlock your phone, a message is sent to The Same Phone that you use to open Email… but if anyone else has the phone or redirects the number, this 2fa is completely useless….
Yes a token would be a good add on, maybe a BT dongle on your keys. That way when you loose the dongle you’re f’d getting into your email all together.
A better solution is still needed. I like roasting crooks on an open flame every Wednesday on TV, I think it would discourage thieves (and swating). Won’t happen, but it would cut crime down; as there would at least be less criminals every Wednesday lol.
purescience2016
I don’t carry my phone everywhere. In fact, sometimes I leave it at home on purpose so that people cannot get ahold of me and interupt what I’m doing. I miss the days of the landline where it was understood that if you weren’t at home, you obviously couldn’t answer your phone and continue to refuse to constantly wear that leash. I DO take my laptop most places and periodically check email just in case something work-relatef happens that demands my attention. All of the forms of 2-factor require me to have that phone handy in one fashion or another. What happens if my phone breaks or takes a dunk in the toilet? If Gmail started enforcing 2-factor, I would definitely abandon it for the Clinton-inspired mail server I have running in my living room. Unlike Clinton, I don’t handle or discuss national security issues, let alone send them via email, and I haven’t disabled security features. That would be sad because I’ve had that account since Gmail was in beta.
Paul Ducklin
Aeroplane mode makes sure people can’t call you. Or silent. Software-based authenticator apps (there’s one built into the free Sophos Mobile and Security for Android/iOS app, link at end of article) don’t require you to be online to work.
Jack Johnston
With gmail, you have several options to solve the issues you mention. You can add your PC as a trusted device, i.e. I never need to use 2FA on my PC (although that never worked on my old PC for some reason). Second, you can generate and store/print a list of one-use codes so that if you ever lose your phone, you can access gmail. My biggest problem would be if i lost both PC and phone at the same time as I keep the codes in Drive.
Laurence Marks
> The real problem with 2SV isn’t that it’s irksome to use – it isn’t –
Nonsense! There’s been a lot of talk about 2FA, but it always translates into a single form: text messages on cellphones.
I use 2FA now. But three years ago, my home was located at the fringe of two cell towers. I would have had to go outdoors and hold the phone over my head every time I needed to receive SMS. And my office was in the core of a steel-framed building. I would have had to leave my desk and stand by the windows to receive SMS. Is it any wonder that I rejected 2FA.
I had wired landline phones at both places. Why wasn’t there an option to receive calls on those lines? Or some other scheme? Dongles might have worked but they were never widely distributed, and under the scheme of that era, I would have had a pocketful of them. The industry never seemed to get together and settle on a common dongle scheme.
Paul Ducklin
You must be the only person in the developed world who can’t get a mobile signal at work *or* at home :-) However, phone-based authenticator apps don’t need to be online to work – the phone is acting as secure storage for the authentication seed, which makes it a second factor when you are using your laptop to logon.
Mike
I switched over to Google Prompt and have been amazed at how easy it has been to authenticate. I recommend it to everyone.
Gary Zollweg
I have no use for 2fa. I use an email client so there”s no address book to steal and I receive no sensitive information via gmail so nothing to steal. Why do I need more complications with no benefit?
Andy M.
The old “I have nothing to steal” rationalisation that hackers love. And what email client are you using that doesn’t have an Address Book?
Clifford
What alternatives are available if one does not have or want to carry a smartphone. What if a smartphone in unaffordable. What about security on shared computers? If the smartphone is unavailable, out of service area, or runs out of power, what then? A dongle has unique availability, affordability, and a univrsally accepted protocol problems.
Bart
Does the Google Authenticator app conflict with their 2fa? Or would it not make sense to use both?
Steve O
I don’t use a smartphone. “Featurephone” (dumbphone) only for me as voice comms and trustworthy battery life are essential, and I have no immediate need for anything I can’t wait until I get to a PC for. In fact, not being constantly connected to the internet provides a better quality of life with less stress. So SMS is the only option, but even then rarely used as it’s only when I need to access Gmail from an alternative (trusted) device.
Jessie
Another problem with 2SV is what happens if you lose your phone and can’t get your old # back.
I mention it because I got locked out of my Yahoo e-mail accounts this past year when that exact scenario happened.
I had mistakenly used another Yahoo account to verify my original one, but when I couldn’t provide my old phone for 2SV, I was told, via computer generated messages, that I couldn’t be helped to recover my e-mail accounts.
So, yes,I KNOW about 2SV, but won’t be setting it up for my remaining Gmail account.
CK
I had 2 step on years ago. My phone broke, bought a new one but couldn’t access my account anymore. Google wouldn’t allow me to change my phone number without the code being sent to the original number. I lost everything. I will never use 2 step again.
John Dunn
Which is why Google recommends that 2SV users print out a series if emergency one-off access codes to cope with just this sort of situation.
Bryan
Jessie, were you working with Walter White on a burner phone?
:,)
Usually when a phone breaks one replaces the device but retains the number.
Bryan
Hah. Not sure if it was a browser glitch or a grey matter glitch…but I’d swear I saw Jessie’s name above your comment, CK
ewps.
Scott Johnson
I’ve have 2 factor going on my google and facebook accounts, I don’t use twitter often enough to bother. I’ve been wondering what the advantages of the google authentication app.
Bryan
If you rarely use Twitter, you may not notice for weeks that someone’s compromised your account. 2FA is good for not only protecting what you care about, but also protecting the “out-of-sight-out-of-mind” resources.
Scott Johnson
I went to the play store and read the reviews. “Trash app” seems to be the common theme. Many people get locked out of their accounts when they reboot their phones. I’ll skip this app.
Paul Ducklin
If you’re talking about Google Authenticator or, for that matter, Sophos’s equivalent, I’ve not heard of any “reboot catastrophes” from using either of them. I’ve used the Sophos Authenticator for years and in all that time I have needed to use an emergency backup code exactly once…
…I left my phone at home.
Jeff
Dead zones when traveling mean I can not access my email. I grew tired of that.
Paul Ducklin
Why not use an authenticator app, then? As explained in the article, this works even when you don’t have mobile coverage.
Bryan
…but where are the 2FA dead zones where one can still reach email?
Paul Ducklin
You might have Wi-Fi access but no GSM. It can happen inside some of Oxford’s older buildings, for instance. They don’t build ‘em like they used to.
There might be a coffee shop with a landline and a DSL modem hooked up, so customers can get online, but no mobile phone signal.
I can’t remember when I last had Wi-Fi but no mobile coverage but it has happened to me a couple of times in the past two years. (If you have someone to watch your stuff you can always pop out into the street and probably get the SMS…or use a backup code if you have one handy.)
Bryan
Most apps will hop from mobile data to Wi-Fi data as available. Maybe my mistake was relegating the thought process to smart phones–but are there any auth apps which can run on non-smart phones?
I’d love to someday visit Oxford–my office is a century-plus old brick behemoth which spent some time as a cold-storage warehouse. My Verizon coverage is surprisingly ubiquitous save for a few basement spots. However our Wi-Fi finds significant hindrance in 18-inch concrete floors.
Paul Ducklin
Many non-app-based 2FA systems rely on an SMS text message (which can’t hop to Wi-Fi); some allow you to choose a voice call instead. If the voice number you have configured is your mobile phone, that’ll be a GSM call (which can’t hop to Wi-Fi).
If you have a 2FA system that is phone based (rather than app-based) and it has a voice option, I suppose you could use a Skype dialin number, or similar, and that would work over Wi-Fi. But generally you are looking at [a] an app you prime with a seed and that then spits out a new code every 30 seconds, which typically means a modern smart(ish) phone, e.g. Android or iOS or [b] an phone number, which could mean an old-style featurephone but needs coverage.
Bill
I use Thunderbird as an email client, plus my phone. I’m not sure how well either will work with 2FA?
Jaye L
What about Duo Push. We use that at work. Can’t it be used for other services?