I saw mention that two-factor authentication (2FA) isn't foolproof. That's true (https://www.cnet.com/news/two-factor-authentication-what-you-need-to-know-faq/). Still, it's better than just a password (often, not a very good one). As we see more and more reports in the news of massive theft of account details (Yahoo! just being the most recently announced, and so far, the largest), I started to wonder how widely 2FA is used where it's deployed. My Google-fu failed me.

That leads me to my question. Ignoring for the moment, the many critical sites which don't support 2FA at all, for those which do, does anyone have info about approximate usage? Take Google and Yahoo!. Both support it (https://twofactorauth.org/). What fraction of their users take advantage of it?

There is a lot of conjecture in this area. The following paper is the most comprehensive look I've seen on the subject of adoption rates. It found Google's 2FA adoption to be in the are of 6.4%, which isn't bad at all:

http://users.ics.forth.gr/~elathan/papers/eurosec15.pdf


I just received verification that this number is not significantly incorrect. I'll poke one of Yahoo's principle architects to see if he has any input.

I have 2fa at work, paypal and on google. Would use it more places if it were available. I'm not sure what you are supposed to do that's more secure.

according to the OP's link, the biggest flaw in 2fa is that the system admins can turn it off. Pretty typical

I have 2fa at work, paypal and on google. Would use it more places if it were available. I'm not sure what you are supposed to do that's more secure.


This is a valuable link if you want to discover which other sites you can turn it on for:
https://twofactorauth.org/

Password managers are also extremely valuable. Many ingenious seeming methods of creating unique passwords for different sites don't really hold up when viewing a list of 3-4 compromised accounts registered to the same email address. It's usually pretty easy to spot patterns which otherwise seem complex.

I also recommend using fake answers in your security questions, and storing these answers in a password manager. I use Keepass, since I prefer to host my own database and sync it between devices.

I think that security stuff is over-rated. I'm going to set up my own email server in my basement and conduct my business on that.

I think that security stuff is over-rated. I'm going to set up my own email server in my basement and conduct my business on that.

Good to hear. When you're set up, let me know. I've been looking for a secure place to keep copies of all my tax returns and passwords. :)

The following paper is the most comprehensive look I've seen on the subject of adoption rates. It found Google's 2FA adoption to be in the are of 6.4%, which isn't bad at all:

http://users.ics.forth.gr/~elathan/papers/eurosec15.pdf


Thanks. Looks like good bedtime reading. I've been having trouble falling asleep recently. I am obviously not riding my bike enough. :)

While we're on the topic of security, I'm curious if anyone is using ProtonMail as their primary email provider?

I requested an account a while ago, but never activated it. I'm thinking it might be something to go through with.

I also recommend using fake answers in your security questions, and storing these answers in a password manager. I use Keepass, since I prefer to host my own database and sync it between devices.

I think about this constantly. What good is a super complex, 30 character jumble of random letters/numbers/symbols if someone can get access to my account with the name of my high school and my mother's maiden name?:crap:

I used to fill those in, thinking I may need them one day, but have recently started skipping them (if permitted) or putting nonsense in there if they are required to create an account. This has already bitten me once when I had to call customer service for one of these companies. They wanted to verify my access by asking me security questions that I entered online. None of my answers were matching, which I thought was strange since they were non-ambiguous questions. The rep finally authorized me through some other method and revealed that the answer to all of my security questions was "this is stupid". They suggested I change that.

I like the idea of using another random string there and storing it in my password manager. It's a PITA, but probably better than getting hacked.

Didn't I just read recently that one of those password managers was compromised?

While we're on the topic of security, I'm curious if anyone is using ProtonMail as their primary email provider?

I requested an account a while ago, but never activated it. I'm thinking it might be something to go through with.

I have an early Protonmail account I use for some archiving, but not as my primary email solution. I don't generally treat email as anything other than a plain text communication platform unless using GPG. Protonmail is a good intermediary solution after Lidar was forced to shutdown Lavabit, but it makes many compromises in design to reach the masses. Protonmail is best used with other Protonmail users. Each step away from that loses you security.

Didn't I just read recently that one of those password managers was compromised?

Yup, Lastpass has been hacked a couple of times. Some user data was compromised including security questions. Their salting probably protected any widespread compromising of user databases. I still prefer to host my own database with Keepass. There has also been phishing attacks taking advantage of cloning their browser plugin..


At the end of the day, security is a game of economics. User effort is part of the economics involved.