ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

90 Percent of Gmail Users Are Not Properly Protecting Their Accounts

A Google engineer has revealed that despite Gmail being introduced ten years ago, the vast majority of email account users are still not using one of Gmail’s best features. Speaking at the recent Enigma 2018 security conference, Grzegorz Milka, a software engineer for the tech giant, said that only ten percent of users - just 1 in 10 people - are bothering to turn on two-factor authentication.

This is a staggeringly low figure when one considers a few important things: Firstly, email accounts are the center of a digital web. When people forget passwords for third-party services - such as social media, online shopping, and digital payment accounts - it is often their Gmail account that serves as the recovery point. 

In addition, research has revealed that people in the US are still not using password managers. This likely means that they are choosing easy passwords and similar passwords across various platforms. In fact, according to Pew Research Center, only 12 percent of Americans use a password manager - a very similar percentile to those using Gmail two factor (implying that it is the same security-conscious few).

Pew Password

Hacking Explosion

In recent years, hacking tools and hacks by “script kiddies” have been massively on the rise, leading to a global explosion in the number of attacks that are occurring. Furthermore, recent times have seen a number of serious cases involving huge amounts of hacked passwords being sold on the darknet

On one occasion, over 25 million Gmail and Yahoo accounts were being sold online. Another report claimed that 200 million Yahoo accounts had appeared for sale on deep web marketplaces. 

With so much publicity surrounding these monumental hacks, it seems ludicrous that people aren’t using two-factor auth. After all, it is the only thing that will protect a Gmail account from instant penetration should a hacker either acquire or brute-force an account’s password.

Script Kiddie

Not Compulsory

So, why isn’t Google forcing consumers to use two-factor authentication? Sadly, it would appear that Google fears losing consumers who literally can’t cope - or more likely don’t want to cope - with having to use the elevated security feature. Google’s software engineer implied that a large proportion of consumers are apathetic about digital security:

 “The answer is usability. It’s about how many people would we drive out if we force them to use additional security.”

According to Google, over 10 percent of people claim to have trouble entering the four-digit authentication number that arrives via text or an authentication tool. This seems barmy, and, as far as I’m concerned, points to the real problem - laziness and generally bad education surrounding the vital necessity of this feature.

Question Two Fact

Should you be Using Two Factor Auth?

The answer to this question is yes. Your Gmail account isn't secure until you enable two-factor authentication. It doesn’t matter whether you choose an SMS message, an authentication app, or a physical token like YubiKey (the most secure method) - but please do it now!

Doing so will stop anybody from being able to access your email account with the password alone. In practical terms, this means that a hacker will need your password and your phone itself to hack your account. Remember, hackers are likely located in a far-off location, possibly even overseas. So worrying that you might lose your phone - or that it might get stolen by a hacker - just isn't a sensible reason to abstain. What’s more, two-factor auth is not difficult to set up and costs nothing. 

Admittedly, if you do lose your phone you won’t be able to access your email account - because you won’t be able to receive the text code. This might put some users off, but it shouldn't. The reality is that Google has systems in place just in case this happens. 

That means you can disable access to the email account, revoke passwords for the email account, gain access to the email account yourself using a variety of methods (backup codes or a trusted computer), and turn off two-factor auth until you have got a new phone/sim card from your carrier.

Google Two Factor

What is Google Doing To Protect Users?

Luckily for consumers, awareness of low uptake levels for two-factor auth is making Google work harder to protect people. According to Google, hackers tend to behave in similar ways when they gain access to a victim’s account. 

Firstly, they disable notifications. Next, they may drop in a filter to hide their activity. With this done, they tend to search for personal account information, intimate photos, bitcoin wallet correspondence, and other sensitive email data. If Google detects this kind of activity it will shut down the account temporarily to protect its owner. 

In addition, last November Google published a detailed study explaining how hackers penetrate accounts and what consumers can do to protect themselves. Due to that study, Google is much more closely monitoring login location radius. This means people are being asked much more regularly to confirm a login was them. Again, in extreme cases, accounts are being frozen. Google believes it has already used the findings from its study to prevent hackers from penetrating 67 million Google accounts.

Despite these efforts, the fact remains that the best person to protect your email account is you. So please consider enabling two-factor auth, and tell your loved ones to do it too!

Opinions are the writer's own.

Title image credit: Irina Strelnikova/Shutterstock.com

Image credits: Pew Research infographic, fatmawati achmad zaenuri/Shutterstock.com, Peshkova/Shutterstock.com, tongcom photographer/Shutterstock.com

Written by: Ray Walsh

Digital privacy expert with 5 years experience testing and reviewing VPNs. He's been quoted in The Express, The Times, The Washington Post, The Register, CNET & many more. 

2 Comments

Michael
on January 27, 2018
Your article, although well intentioned, ignores a key point. Anyone who is truly serious about protecting their privacy (or customer service) is simply not using Gmail as their primary email address. I have always used a paid account for my primary email address, so that I can experience true customer service. Who wants to use two-factor authentication for their secondary email service (Gmail), which is used mostly to keep spam out of their primary email account? I have a third email provider (ProtonMail) for sending and receiving sensitive information. This article misses an entire aspect of email management, which people have used for decades. Gmail is wise to keep two-factor authentication optional.
Gweidion
on January 27, 2018
The answer is have a decent password in the first place instead of adding in unnecessary additional security.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service