Less than 10 percent of Google accounts have two-factor authentication enabled, and only about 12 percent of Americans use password managers.
It has been almost seven years since Google introduced two-factor authentication (2FA) for their services. However, the number of people using it remains negligible.
Taking the floor at USENIX Enigma 2018 conference held in January, a security engineer at Google Grzegorz Milka revealed some disconcerting statistics regarding most users’ security practices. According to the report, less than 10 percent of active Google accounts use two-factor authentication. Furthermore, as per findings of the Pew Research Center, password managers are only used by approximately 12 percent of Americans.
There is an obvious privacy aspect here — users are required to provide their phone number when activating 2FA. This doesn’t suit people who are unwilling to share their sensitive details with the worldwide data aggregate, which is understandable. Even putting this nuance out of the equation, though, most people choose not to use 2FA for other reasons. What are those reasons?
Google was one of the first large Internet services that implemented 2FA. Besides, the company has been actively promoting this additional security technique via Google Authenticator App that allows linking an account to a specific device. Two-factor authentication also works via SMS.
Caveats of SMS as an authentication factor
First and foremost, 2FA via SMS has been officially labeled insecure due to critical vulnerabilities in Signaling System 7 (SS7), a telecommunications standard used by cellular networks to interact with one another.
Researchers from Positive Technologies, a company specializing in vulnerability assessment and threat analysis, released a report back in 2014 where they demonstrated the SMS interception workflow in detail. In a nutshell, the attack revolves around registering a subscriber with a fake MSC/VLR. The initial data includes the subscriber’s IMSI and the address of the current MSC/VLR, which can be obtained by means of a specific USSD request within the SS7 network. After the victim has been registered with the rogue MSC/VLR, they stop receiving incoming calls and SMS. All text messages will be forwarded to an attacker.
Intercepting other people’s text messages isn’t pure theory or science fiction. Attacks of that sort have been pulled off multiple times by hackers and law enforcement agencies of different countries. One way or another, 2FA via SMS appears to be an insecure method of authentication. The U.S. National Institute of Standards and Technology (NIST) released a special publication of its Digital Identity Guidelines in 2016. It proposed “deprecating” SMS as a second authentication factor due to this technique’s obvious security imperfections.
In other words, in some cases, two-factor authentication isn’t secure and instead evokes a sense of delusive security. Users think their account cannot be compromised without the attackers getting hold of their mobile device, so they may set weaker passwords for their online accounts. This means 2FA can even downgrade users’ security in the long run.
Google never implemented other ways of 2FA, such as the widespread technique where a secret code is sent to a customer’s alternate email address. Perhaps the company deemed this method as insecure as 2FA via SMS. Regardless of the 2FA mechanism being used, it implies some additional action on the user’s end, that is, people experience certain inconveniences. It looks like a lot of users are okay with sacrificing their security for convenience.
Burdensome?
Grzegorz Milka, the above-mentioned Google employee, confirmed the speculation regarding inconvenience of such additional security. Reporters from The Register asked him why Google didn’t make two-factor authentication obligatory for all accounts. He replied as follows, “The answer is usability. It’s about how many people would we drive out if we force them to use additional security.”
Google engineers are apparently doing their best to simplify the process. For instance, the company launched Google Prompt service in July 2017. It does not use confirmation codes but instead requires the user to tap a prompt received on their phone as their second sign-in step.
However, based on statistics, people find this ostensibly easy 2FA method too complicated as well. Any extra button pressed, prompt tapped, or screen viewed appears to be a burden that deteriorates user experience. Even the simplest action online can be a hurdle to some people. According to Google, more than 10 percent of users who tried 2FA failed to accurately enter the secret code received via SMS.
It turns out, most users are simply unprepared for the “convenience vs. security”’ tradeoff. Some people think they have nothing to conceal. Some believe their accounts bear no value to perpetrators and therefore they will never fall victim to compromise. In order to protect these people, Google is trying to improve heuristics and detect malware and breach incidents by identifying specific user activity patterns. The problem is, it takes an attacker only a few minutes to carry out the compromise, so it is imperative to react fast enough.
Different account breach scenarios tend to have common characteristics. Having signed in, the threat actor disables notifications, looks for valuable information (Bitcoin wallets, password files, sensitive photos, etc.), exports the contacts list, and configures a filter to obfuscate their shenanigans from the owner.
Google has been making efforts to prevent such activity, generating different types of notifications and encouraging users to enable two-factor authentication. Unfortunately, most people have yet to mature in terms of the right security mindset.