• by Ray Schultz , Columnist, January 23, 2018

Google thought it was doing a good thing when it introduced two-factor authentication (2FA) for Gmail accounts in 2011.

But Gmail users disagree. Fewer than 10% use 2FA, according to a report in The Register based on a speech by Google software engineer Grzegorz Milka at Usenix's Enigma 2018 security conference. 

Don’t these people realize that 2FA adds “another layer of security if your password has been stolen, or you use the same password for multiple websites,” as the Verge puts it.

Maybe, but there are two problems with 2FA. One is convenience.

“It’s about how many people would we drive out if we force them to use additional security.” Milka said, explaining why Google didn’t simply make 2FA mandatory, according to The Register. “The answer is usability.” 

Then there’s privacy. 

“The method is not perfect, as last year TrendMicro revealed that Russian hackers were able to circumvent the OAuth standard employed by Google for its 2-way verification process,” Android Headlines reports.

For the 15% that reportedly cited privacy in a 2015 survey by Sophos, “their fears aren’t baseless,” states the XDA Developer's Blog. “Some experts have pointed to weaknesses in SMS-based 2FA, citing the risk of interception by attackers who manage to spoof phone numbers.”

Gmail reportedly is planning to upgrade the service in response to these issues. “In October, it rolled out a new method for 2FA that replaced SMS with the "Google Prompt," a verification screen built into Google Play services on Android and the Google app on iOS,” XDA adds.

This method “doesn’t require you to enter a passphrase, instead using heuristics like your phone’s geographic location and the time of day to verify your identity.”

All well and good. But it’s possible that Gmail users simply don’t want to be bothered with the two-factor process. 

And one may challenge Milka’s statistics. A recent survey by Duo found that 28% of Americans use 2FA, according to Sci-Tech Today.

But that brings us to what may be the main problem. “More than half of respondents -- 56% -- said they hadn't heard of two-factor authentication before the survey, Duo found, Sci-Tech Today continues.

In other words, Gmail has to do a better job of selling it.