Two-factor authentication has been available for more than seven years but still no one is using it to protect their account. Google introduced its two-step authentication for Gmail accounts and gave users the option to strengthen their account security, but didn't make it mandatory. Fast-forward to today, where less than 10% of active Google accounts use two-step verification (2SV).
This provides an opportunity for hackers to crack those accounts open because they're protected only by a username and a password. In 2011 Google rolled out a secondary layer of security for accessing Gmail accounts, where users receive a one-time password by text message or voice call each time they enter their password into the login panel. Access is then granted only if both the password and one-time code are correct. Since then the Authenticator app has also been providing one-time passwords and it doesn't require a text message or voice call, just an app that generates a six-digit code that is valid only for 30 seconds.
Convenience Rather Than Security
When asked why Google is not making it mandatory for all Gmail accounts, software engineer Grzegorz Milka said in an interview with The Register: “The answer is usability. It's about how many people we would drive out if we forced them to use additional security.”
The result is quite alarming: only a fraction of users have added the extra layer of security to their accounts. But Gmail account owners aren't the only ones leaving their digital lives unprotected, it's an issue for countless services. As you already know, passwords are the first line of defense against unauthorized access to user data. Given the cyber security risks that we are exposed to and the frequency of cyber attacks, you would expect more people to at least apply the two-step verification or enable two-factor authentication on their accounts alongside the use of a password manager.
The reality, as always, looks different: 65% of U.S. internet users say that they keep track of their passwords by memorizing them and around half keep the password to at least some of their online accounts written down on a piece of paper, according to a Pew Research study.
Only a quarter of adults keep track of their passwords using a digital note or document, with just 18% saying that they save them using the built-in password-saving features available in most modern browsers. A measly 12% have used a password manager, however, while and only 3% regularly rely on password management software to secure their digital lives. These alarming numbers are from as recent as 2017.
The same study found that more than half (52%) of adult internet users have used two-factor authentication, but the problem is that 39% indicated that most of their passwords are the same or very similar to other passwords used for different accounts.
2FA vs 2SV
Among the best practices recommended by cybersecurity experts are enabling two-factor authentication or two-step verification. We recommend enabling the former if possible, because the latter is less secure. Unfortunately, the media doesn't make too much effort to distinguish between them so the phrases are often used interchangeably, even though they are not exactly the same.
You should read more about the difference between 2FA and two-step verification, but in short, the latter is less secure as it uses a cellular network for sending the one-time password. The problem with that is that cellular networks suffer from a serious security flaw affecting its SS7 (Signaling System 7) protocol, which as a result allows hackers to siphon off data. With that data in their hands, hackers can control both security layers and so breaking into the online account just becomes is a matter of when, not how.
Unfortunately, even Gmail is vulnerable to such attacks if the two-step verification involving a text message sent through the carrier network is included.
Our Recommendation for Gmail Account Users
Apparently, Google's efforts have not been enough to convince Gmail users to step outside of their comfort zone and forgo convenience for the sake of security. That includes its alternative to the 2SV called Google Prompt, which was launched in October 2017 and asks users if they want to sign in via a phone prompt instead of sending a text message. If the user isn't expecting a login prompt and therefore declines the message then the service will block access.
Since the service is quite new, its success is still unknown. What is known, though, is that Google Prompt joins several other security measures that the company is already providing to its users: Google Authenticator, 2SV, backup codes, and Security Keys.
As always, be sure to use a password manager to protect your Gmail with cryptographically secure passwords and learn about how often you should change them.
Best Password Managers of 2019
|Editor's Choice 2019|