Eight years have passed since Google implemented two-factor authentication (2FA), but almost no one uses it so far. In 2018, Software Engineer of the company Grzegorz Milka made a presentation at Usenix’s Enigma IT Conference. He showed sad numbers of how ordinary users care about their security: approximately 10% of active Google clients use 2FA and only about 12% use password managers. Surprised? Probably, it is time to think about the usage of 2FA.
Why People Ignore It?
When Google activates 2FA, it requires to indicate the phone number, which doesn’t work for those who are not ready to share personal data with the corporation. It’s a reasonable position. However, most users prefer to ignore identification for other reasons. Why?
The company is one of the pioneers in the implementation of this method among major web companies. Besides, it actively promotes this method and distributes the Authenticator App to link the account to a particular gadget. The identification works by SMS. It should be noted that SMS has already been widely recognized as an unsafe identification method due to unavoidable fragility in the Signaling System 7, which is used by cell nets to communicate with each other.
But no matter what 2FA method we use, in any case, these are extra tasks for the client. It makes people feel uncomfortable.
Why It Is Not Convenient?
The assumption of lack of convenience was also proved by Mr. Milka. Answering the question “Why Google will not enable 2FA by default for all clients?” he answered — “Because of usability. It’s all about how many users will leave if we push them to use extra security measures.”
Any extra keystroke, any additional screen is a difficulty. Even the easiest task on the Internet can cause difficulty for part of the audience. Google says that when trying to install this protective mechanism, more than 10% of clients were unable to insert the code delivered by SMS to the window. So, most clients are simply not ready to sacrifice comfort for security.
Someone believes that he “has nothing to hide” or that his account is not valuable to attackers and this is the reason why he will never be a target for hacking. To protect such clients, Google is trying to develop heuristics and define hacking facts through user actions. The problem is that in such cases you need to respond very quickly: within a few moments until the hacker has implemented all his plans.
We believe that security online must be the number one task for every user. In the end, nobody wants to be the subject for doxing, hacking or humiliation. Two-factor identification is a simple and good way to protect yourself from malicious actions of cybercriminals.