Less than 10 percent of Google users turn on two-factor authentication

Less than 10 percent of active Google account holders utilize two-factor authentication, according to a software engineer who works for the California-based tech giant.

At the Enigma security conference in Santa Clara, California on Wednesday, Grzegorz Milka described Google’s efforts to make two-factor authentication an extremely effective security tool in the face of account breaches. Like other tech companies, however, Google hasn’t made two-factor authentication a default feature because of a lack of convenience they fear would drive users away, Milka said.

In 2016, Google collected over 4,000 data breach dumps totalling 3.3 billion stolen credentials. The data dumps included 67 million valid Google passwords, a number Milka used to emphasize that password security requires “defense-in-depth” that can work even when passwords are stolen — which happens about 250,000 times per week.

Late last year, Google upgraded their two-factor authentication tools for at-risk users. The upgrade, known as the Advanced Protection Program, mandates two-factor authentication and provides free hardware keys to add further layers of defense.

Tools like two-factor authentication are effective but rarely used, a gap that leaves the vast majority of users solely reliant on passwords for account security. Even when users don’t turn on two-factor authentication, Google adds its own layers of security to prevent account takeover.

“In order to bridge the gap, we look at different signals,” Milka said. “How surprised are we to see you login like that, from that location, device and time? How suspicious does the login look, how similar is it to known hijacking patterns or is the user at risk?”

The signals Google uses regularly changes. Just a few years ago, Google often used geolocation in the login process to figure out if a login was legitimate. Now, however, about 83 percent of phishing kits use geocloaking, according to Milka. Geocloaking obscures the source of malware so well it makes geolocation virtually useless in many cases.

“Hijackers adapt,” Milka said.

While the number of accounts that leverage two-factor authentication is low, Milka says Google will force “dynamic two-factor authentication” on suspicious logins. It’s a complex process that could go wrong and result in users being locked out or hijackers being let in. The dynamic 2FA will force secondary email verification, SMS code or Google smartphone prompts to verify a login’s legitimacy.

In January 2016, there were 2,658 such phone hijackings in the U.S. alone, according to the Federal Trade Commision.

Successful hijackers tend to quickly delete email verification warnings. About 18 percent of phishing kits try to collect phone data and hijackers can socially engineer customer service at phone carriers to intercept SMS codes. Google prompts avoid most of those issues because they get through to the user, but ultimately nothing stops the user from clicking ‘Yes.’

Adding to the problem is that most Americans have never even heard of two-factor authentication, according to 2017 research from Sweden-based hardware authentication device maker Yubico.

The lack of two-factor authentication can be catastrophic for a hacking target. The 2016 hacking campaign against the Democratic National Committee preyed on high-profiled individuals like Hillary Clinton campaign chairman John Podesta who didn’t have two-factor authentication on his Google email account. Podesta’s hacked account was the source of a huge trove of leaked emails used to influence the presidential campaign.