Google Lauds 2FA Results—So Why do People HATE It?

Google started auto-enrolling users in two-factor authentication (2FA). That was nine months ago—now it’s releasing the results.

Account breaches halved. That’s the big headline, anyway. But listening to people talk about it on the internet, you’d be forgiven for thinking 2FA is the worst thing since Communism.

Oh, and Google persists in calling it two-step verification (2SV). In today’s SB Blogwatch, we can be nerdily stubborn, too.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Mr. Bean in Half-Life 2.

2FA? 2SV? Let’s Call the Whole Thing Off

What’s the craic? Jon Fingas reports—“Google says default 2FA cut account breaches in half”:

Tangible impact of 2FA on security
Google’s decision to enable two-factor authentication by default appears to have borne fruit. The search firm has revealed that account breaches dropped by 50 percent. … The plunge was proof the extra factor is “effective” in safeguarding your data, Google said.

More than 150 million people have been auto-enrolled so far, including more than 2 million YouTube creators. … The company also promised more security upgrades. … Google will let you opt-in to an account-level safe browsing option that keeps you from visiting known harmful sites. Google is also expanding Assistant’s privacy-minded Guest Mode to nine new languages … and has promised to ramp up safeguards for politicians ahead of the US midterm elections.

The reduced volume of account breaches isn’t a shock. … It hasn’t always been easy to show the tangible impact of 2FA on security, though, and the sheer scale of Google’s user base gives it a representative sample others can’t easily match.

O RLY? Robert Lemos begs to differ—“Microsoft on MFA”:

Account recovery becomes the next support headache
Google is not the only company that has documented the success of using a second factor. … In 2019, Microsoft cited research that suggested that nearly all victims of successful compromises did not [use] two-factor authentication. … Still, new data from Microsoft’s Azure Active Directory Service shows that only around 22% of organizations [use] MFA … (multifactor authentication).

Eliminating the reliance on passwords is an increasingly important effort by service providers and security firms, especially as more employers moved to adopting remote work during the pandemic. … The addition of two-step verification and other forms of MFA means that account recovery becomes the next support headache and a potential vector of attacks. For that reason, Google has put additional effort into prompting users to enter in phone numbers and other ways of contacting them.

How did we get here? Corin Faife sets the Wayback machine to Stun—“The results support an ongoing project to boost enrollment”:

Nudging users toward security works
In 2018, a Google engineer revealed that more than 90 percent of active Gmail accounts were not using two-factor authentication, prompting questions as to why Google wouldn’t make the two-step authentication process mandatory. Since then, the company has been on a path to make 2SV a default option for a greater share of users and a mandatory step for some.

Nudging users toward security works. That’s the top-line finding four months into Google’s initiative.

But reactions are overwhelmingly negative. For example, this from browningstreet:

Is 2FAing everything in our life really the way to go? I’m 2FAing so many times each day — work, email, entertainment, banking, etc. And if you ever change an element of your life, like moving to a new house, it’s bonkers for a few days.

What comes after 2FA-everything?

And this, from dgatwood:

Security on the Internet is a mess
The problem is fundamentally that for most folks, “2-factor” authentication almost never actually involves a truly independent second factor. … If hardware two-factor were more ubiquitous, and websites were less averse to letting people stay signed in, these problems wouldn’t exist. Requiring significant extra verification with a hardware second factor is fine as long as you only do it when you add a new device.

But instead, we have all these websites that kick you out after an hour, thinking that they’re somehow making things “more secure”, all the while causing people to send their passwords over and over again, making any sort of real security (like hardware two-factor) a pain in the backside. … Security on the Internet is a mess, and I think the only way it will ever get meaningfully better is if Apple, Google, Microsoft, Firefox/Mozilla, and other browser vendors work together to create a unified single-sign-in standard, and pressure companies to support it broadly.

Hey, a guy can dream, right?

And just look at this spittle-flecked invective by nonrandomstring:

Don’t dignify the narrative
“Whether they like it or not” is the story. The transition from elective to non-consensual “for your own good security” no longer means more or less “security,” it is a qualitative, fundamental change in what “security” is.

The power relation has changed. This is no longer about security, as you and I (regular folk) would understand it. Call it other things please; data-mining, enforced tracking, enclosure, domestication, bullying—but don’t dignify the narrative by continuing to talk about “security” or “authentication.”

Where is all this negativity coming from? squiggleslash thinks their option is unpopular, but it doesn’t seem that way:

Unpopular opinion
2FA is overrated and most of the exploits people worry about do not involve guessing people’s passwords. … I don’t remember the last time I heard about someone’s account being compromised that way. Usually it involves access to the victim’s email or SMSes, and using that to start a password reset.

2FA is … not user friendly, it creates only marginal improvements in security, and ultimately it’ll probably just reduce the usage of anything afflicted by it. And just like email, the people pushing it are pushing it for dubious reasons.

Unpopular opinion, I know, but 2FA is ****.

Perhaps it’s down to bad experiences? Such as this tale of woe, from muh_gradle:

2FA with Google has screwed me out of an important account when I switched phone numbers after moving countries. I was on the phone with customer service for countless hours and customer support more or less directly said that there’s nothing that can be done.

The only way I was able to recover the account was some internal process with a friend that worked at Google at the time. This was 5 years ago. I have never opted into 2FA since.

Meanwhile, AmiMoJo offers this rare level-headed assessment:

2FA is highly effective against stolen passwords, but it’s not magic.

And Finally:

Half-Wit 2

Hat tip: jonbob

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Google

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 640 posts and counting.See all posts by richi