Are You More Secure than 90% of Google Users? 

By February 6, 2018 Product Updates 2 Comments
Woman at laptop

As the saying goes, you can lead a horse to water but you can’t make it drink. And that seems to be the case when it comes to increasing adoption of security features, too. Google software engineer Grzegorz Milka recently shared an alarming statistic: Less than 10% of active users turn on multi-factor authentication (MFA) for their Google accounts. 

Google users are forgoing multi-factor authentication 

Seven years after Google introduced MFA, it seems adoption is still woefully low. Given that Gmail accounts are highly-prized targets for criminals, more people should be taking advantage of the added protection.  

We’ve long talked of the benefits of adding additional authentication steps for better security. By adding another login step, you’re making it that much more difficult for someone to break into an account. And really, it’s easy to set up, it’s free, and it keeps opportunistic hackers at bay. 

What’s not to like? 

Security at the cost of convenience? 

Well, the trouble is, added security often comes with a perceived level of inconvenience that many people don’t want to deal with. As Milka said in his talk, “It’s about how many people we would drive out if we force them to use additional security.” Like all services, Google has to weigh security and usability. 

In our own study released last year, we found that 26.5% of businesses were standardizing on multi-factor authentication. It’s encouraging to see that businesses are implementing these best practices and being proactive in securing employee accounts. 

But consumers are often left to make the decision for themselves, and it’s clear most of us aren’t being proactive enough. You can easily be more secure than most Google users out there just by turning on MFA.  

Stop being lazy, start being more secure 

In my own experience, any usability impacts from MFA are minimal. Many of today’s top MFA options are easy to set up and use. Plus, some can even authenticate you with a tap on a push notification to your phone, without even needing to type in a code.  

And if you’re using a password manager to autofill your username and password, you’re already saving time and streamlining the login process. Adding the additional MFA login step becomes much less disruptive when passwords are automated for you, too. 

In my opinion, the hardest part is 1) educating people about multi-factor authentication so they’re aware of what it is and 2) taking the few minutes to set it up. Many companies, including Google and Facebook, are now being more pro-active about asking users to do “security check-ups”. MFA is often presented as an option during those check-ups, so we hope to see adoption rise as a result. 

If you’re not yet using MFA for Google, LastPass, and your other important accounts, take this as a friendly, urgent reminder to turn it on today! Doing the basics well will put you ahead of the pack, and you’ll feel more confident in your online security, too. 


  • David says:

    Google’s numbers don’t take into account what those accounts are used for. I, like many others I know, have multiple Google accounts, used for anything from reserving an address to perhaps making a comment somewhere I didn’t want to use my main. Many of these accounts are something I sign into once a year if that. Only my main account has 2FA on it, but it’s had it for years. Why not 2FA my other accounts? Because they are so low priority, they aren’t worth it to me to go through the extra effort, and more importantly, because Google will not let me use the same 2FA auth for multiple accounts. Why does this matter? Well, for starters, if I had a single 2FA entry for “Google” in the Authenticator app on my phone, the pain of using it is non-existent. Enabling it on 5 accounts doesn’t mean 5 entries in the Authenticator app, it only means 1. Until that happens (if it ever happens), the extra clutter just isn’t worth something that I honestly don’t care about in the first place – security on an account that never had any information of relevance, and that I likely haven’t cared about for some months if not years. Not all accounts are created equally.

    • Leah Bachmann says:

      David, that’s an interesting point about needing to consider what the google accounts are used for. Thanks for your comment.