Inertia and ignorance have slowed the voluntary adoption of an online security tool. Some companies have begun mandating it in response.
By guest author Katie Deighton from the Wall Street Journal.
Google has spent the better part of 10 years persuading users to add an extra layer of security verification to their accounts. Now, it’s done asking nicely.
The Alphabet Inc. unit said it plans to automatically enroll 150 million Google accounts and 2 million YouTube accounts in its two-step verification program by the end of the year. Users will have to do more than simply enter a password to log in to their accounts. They’ll also have to enter a code sent via an app or text message, or plug in a physical security “key.” Users can opt out if they wish.
“We think that this is now table stakes,” said Mark Risher, senior director of product management of Google’s Android operating system and the former head of its security and identity teams. The company said it will enroll the rest of its accounts as quickly as possible starting in 2022 but declined to disclose how many accounts it has registered.
Companies such as Google are pushing more account holders to use two-step verification, a variation of the more commonly used two-factor authentication or 2FA. Passwords are no longer enough to keep accounts secure, they say, and hacked accounts can cost companies time, money and many kinds of trouble.
Consumers, on the other hand, don’t seem to feel the imperative. While Google declined to say how many of its accounts currently have two-step verification in place, a company engineer in 2018 put the figure at less than 10%.
Twitter Inc. in July revealed that only 2.3 % of its active accounts had 2FA switched on during the second half of last year. Meta Platforms Inc., the company formerly known as Facebook Inc., declined to disclose the percentage of its accounts that have 2FA activated but said that its Instagram and Facebook platforms have similar figures.
Reluctance to enroll in 2FA tends to stem from users’ misplaced confidence in passwords, frustration or confusion during setup, or simple laziness, according to digital-security professionals.
Many people also don’t recognize how their lack of security can affect others, said Jean Camp, director of Indiana University’s Center for Security and Privacy in Informatics, Computing, and Engineering.
Hackers only need access to one account to do a world of harm, such as gaining access to other accounts, sharing intimate information and photographs, and impersonating the account holder to scam money from their friends, family and coworkers, Prof. Camp said.
Now tech companies are gradually replacing a strategy of “it’s there if you want it” with mandates to enroll in 2FA or design techniques that strongly encourage it.
Twitter in 2018 started pushing out pop-up messages prompting some users—primarily with verified and election-related accounts—to set up the tool, five years after adding it as an option in settings. Twitter said it has evidence that the prompts have increased 2FA adoption but declined to disclose how much.
Amazon.com Inc.’s smart-home company, Ring, last year announced it was making 2FA mandatory for all users following criticism that customers’ home cameras could easily be accessed by others.
And Meta last year began mandating 2FA for people who use its Business Manager tool to run companies’ pages and advertising accounts. It also requires 2FA to enroll in a voluntary program that was first designed to protect political accounts ahead of the 2020 presidential election, and is now being opened up to certain other high-profile users. For regular users, the company said it is rolling out a prompt to set up 2FA in Facebook’s Security Checkup feature and is investing in making it easier and faster to enable.
The companies are also building out a variety of verification tools to make the process more user friendly. These include multifactor-authentication apps, such as Google Authenticator and Authy, which ask users to verify their identity by pushing a button or entering a code from another device, and physical security keys that look like flash drives and plug into computers.
2FA systems that send verification codes via text message are the most familiar to consumers but are the most vulnerable to phishing attacks, security executives and academics say.
Companies have hesitated to mandate 2FA out of fear that they would drive people away.
Setting up 2FA means adding steps to the process of signing up for a service, and “more people will complete sign-up flows if there’s fewer steps,” said Tracy Chou, founder and chief executive of Block Party, an app designed to filter out unwanted mentions and messages on social media.
Block Party requires users to set up a second verification method when they join, even though that might mean fewer people register in the first place, Ms. Chou acknowledged.
Even Google in 2018 said it would not mandate two-step verification over concerns that the extra hurdles might alienate users. The company has changed course for three reasons, according to Mr. Risher, the Google executive: 2FA systems are now easier to use and more familiar to consumers, smartphone or second-device usage is at a high, and widespread attacks are much more prevalent, visible and serious.
“Everybody, if they themselves haven’t been hacked, will have a close friend or family member that has been,” he said. “They now know the consequences, their imaginations have gotten bigger.”