Why are so few people using Google’s 2-factor authentication?

Google’s 2-factor authentication makes it exponentially harder for your Google account to be hacked, by requiring, after entry of your password, an extra code generated by a smartphone app on a smartphone that was previously linked to your Google account. Since securing your e-mail account is crucial (especially since your e-mail account is used for password retrieval/reset of very many websites and applications), I view it as something everyone with a Google account simply must use, to be able to sleep easy. Especially now you only have to enter the generated security code only once per device ever (and not every 30 days anymore, as was the case previously), I find it pretty painless to use.

However, of all the people I know with a Google account (almost everyone), only one person (besides myself) is actually using Google 2-factor authentication. Why is that? When asked (and some guessing from my side), the following reasons emerge:

  1. Never heard of it. Google 2-factor authentication isn’t very well advertised. It’s not like you get a message every time you log in without using it.
  2. Don’t care about security. Most people I know simply don’t care about online security. They vaguely hear some things about it, but it never comes up that you can actively do something about it. If some hacking event happens to themselves, it’s treated as a fact of life, that you simply can not help.
  3. Too much effort. For many people even using different, strong, passwords for every website, and using a password manager, is already way too much of an effort. Using a smartphone during login, and typing an extra code, is unthinkable.
  4. Setting up Google’s 2-format authentication is too complex. The process is pretty straightforward (you use your smartphone to take a picture of a QR code, to link your smartphone), but still a big hurdle for many people to even consider.
  5. Re-authentication after loss of phone is cumbersome. If you lose or reset your phone (or buy a new one), you first have to unlink your previous phone (using one of the recovery codes, that you hopefully printed out), before you can link your new phone. After having this done once, many people come to the conclusion never to do that again, and don’t re-activate 2-factor authentication.
  6. Application-specific passwords are hard to find and use. Some applications need to have access to your Google account without you being present to login interactively (think mail and calendar applications on desktops and devices). For this, Google has so-called application-specific passwords, which are 16-letter passwords that can be (or at least should be) used for only one application, and are displayed only once by Google (after having used them you can not view them again, you would have to generate a new one).
    Not only is the place to generate these passwords very hard to find (hidden somewhere in your Google account “Security” settings), but the whole concept of what these passwords are, and how they should be used is foreign to most users. Also, because using an application-specific password for only one application is not (and can not be) enforced, it can be a cause of security loopholes.

I am certainly not a security evangelist, but I think that Google has spend a lot of effort in making 2-factor authentication as easy and painless to use as possible (as opposed to other companies, such as Blizzard, where you have to call support, and supply credit-card info etc. to link your account to a new phone), and I think that everyone with a Google account should use it. Still, as the points above indicate, there’s still a long way to go until everyone understands the need for it, and the process becomes easy enough for absolutely everyone to use it.

SQL Server Blog

Thoughts about SaaS software architecture

Brent Ozar Unlimited®

Thoughts about SaaS software architecture

The Visual Studio Blog

Thoughts about SaaS software architecture

Microsoft Azure Blog

Thoughts about SaaS software architecture

AWS News Blog

Thoughts about SaaS software architecture

%d bloggers like this: