Google is on a mission to push users to upgrade the security on their accounts. “We want to move beyond passwords altogether,” it says, as a tidal wave of password attacks continues to make weekly headlines.
Google’s advice is to move to passkeys, which link your account security to your device security, meaning no passwords or even two-factor authentication (2FA) codes to steal. But the company’s update includes a much more serious warning for most users.
At a headline level, Google’s new “Scams and Protections” report, pulled together with Morning Consult, found that “when it comes to online protection, U.S. consumers turn to traditional security practices such as unique passwords and 2FA.”
But it’s much worse than it sounds. When asked about “security practices used for personal online protection,” it turns out that while 60% of U.S. consumers “use strong, unique passwords,” less than 50% — across all age groups — “enable 2FA.”
In fact, while the use of passkeys varies materially across groups — 40% of Gen-Z and only 26% of Baby Boomers, the adoption rate for 2FA is between 46% and 48% across all generations. That’s remarkably consistent and remarkably worrying. All of those users not enabling 2FA should consider themselves at risk.
There are now very few online accounts that don’t offer 2FA, albeit there are some notable exceptions, such as Netflix. SMS codes are still the most popular and most persistent form of 2FA, but also the most dangerous. Open to on-device interception or more sophisticated SIM jacking or network attacks. There are better options — but even using SMS is better than not using anything at all.
The stats suggest more than half of U.S. consumers do not enable any form of 2FA and rely on just User IDs and passwords. That’s the equivalent of leaving your front door unlocked, with a sign saying “please don’t come in.” Relying on passwords alone — given the scale of password breaches and attacks — is almost akin to no security at all.
Yes, those passwords are strong and unique and maybe even updated on a regular basis, but once there’s a breach, there’s a breach. And if an attacker has your combination of User ID and password, then they can hammer other logins with the same. The 2FA adoption rate has stalled. It increased from 33% to 45% between 2017 and 2023, but now remains stuck below 50% even as it’s made mandatory on many accounts.
Even at an enterprise level, where Microsoft has consistently said 2FA blocks more than 99% of attacks, “only 57% of global organizations have fully implemented 2FA.” As for what you should use — passkeys are best, given the ease of use and linkage to your device. An authenticator app is next best, again linking to a device but with some risk of interception or socially engineered trickery to get users to share codes. Use whatever form of 2FA is easiest — even SMS if you must, but use something.