Two-factor authentication (2FA) is a simple, unobtrusive and nearly foolproof method for keeping your online accounts safe — and more than 90 percent of Gmail users seem to want nothing to do with it.
Image credit: Tom's Guide
At the Usenix Enigma 2018 security conference in Santa Clara, California, this week, a Google representative shared 2FA numbers, and the results weren't encouraging. Google might have to take drastic measures to improve 2FA adoption.
This information comes from the technology-news site The Register, a reporter from which attended the event. Grzegorz Milka, a software engineer for Google, reported that less than 10 percent of Gmail users took advantage of Google's 2FA protocols. (Milka also added that only about 12 percent of Americans used a password manager in 2016, according to a Pew Research Center survey, but that's a little less of a direct security threat.)
Google's 2FA system is ridiculously easy to set up and use. If you haven't done it, you should do it before you finish reading this article.
How to Set Up Google Two-Factor Authentication
To start, visit the setup website and click on Get Started in the upper right corner. You may need to click an identical Get Started button on the subsequent page.
From there, you'll enter your Gmail username and password, which will bring you to the 2FA setup screen. If you want to use a screen prompt (this is easier, but requires a suite of Google apps on your phone), click Try It Now. If you prefer to do things via text-message codes instead, click Don't Use Prompt, then input your phone number and follow the instructions.
If you selected the screen prompt, you'll now have a chance to try it out on your phone. Input your phone number as a backup option, then select whether you'd like to receive a text message or a phone call. Texting is easiest, but it's ultimately up to you.
You could also click Use Another Backup Option. For example, you could print out a list of predetermined backup codes that you can always use to access your account -- for example, when you're traveling overseas and can't receive text messages. Your could also use Google's own Authenticator app or a physical USB verification key.
After you get your call or text message, type the code you received into Google's input box on your computer. Then, confirm that you want to turn on 2FA. After that, you can fine-tune your options on the 2-Step Verification screen, but you're good to go.
Why You Want 2FA
Google's 2FA makes it trivial for you to log into your Google services, but all-but-impossible for a cybercriminal to do so, even if he or she has your password.
Apparently, though, the system is still not simple enough for a lot of users. In order to link your phone to your account, you have to receive an alphanumeric code via text message, then input it into a computer. More than 10 percent of users who attempt this process are unable to complete it, Milka explained.
If 2FA is such a boon (it is) and going without it is so dangerous (it is), one might wonder why Google doesn't simply make it mandatory. The answer is simple: People would probably stop using Gmail.
Milka told The Register that "it's about how many people would we drive out if we force them to use additional security."
In other words: If more than 90 percent of Gmail users don't use 2FA, many of them would likely abandon the service rather than figure out how it works.
As a result, Google isn't putting all of its security eggs in the 2FA basket. The company has beefed up its algorithms that look for shady email behavior, such as users logging in from unfamiliar locations or shutting down notifications just after logging in. However, these actions occur after a cybercriminal has already infiltrated an email account, whereas 2FA precludes that kind of thing entirely.
If there's a moral to this story, it's that the average person doesn't take his or her email security nearly seriously enough — but you can. Activate 2FA on Google (and other online services you use). And maybe look into a password manager. If Milka was right about the e-mail thing, he's probably right about that, too.