Google does not enforce MFA on its users – because good security is “too hard”

Is the tech giant worried by users leaving its pervasive ecosystem - because signing in with MFA is "too hard"?
13 October 2021

A Senior Account Manager at Google speaks during the Miss Vickie’s PartnerChip Small Business Leader Summit at Frito-Lay Headquarters in 2019. (Photo by Cooper Neill / GETTY IMAGES NORTH AMERICA / Getty Images via AFP)

By the end of this year, Google will have automatically enrolled 152 million users of its services into applying multifactor authentication (MFA) to secure access to their account — that’s around 8.5% of its user base. Add that to the “less than 10%” of Google account holders that had opted for its two-factor-only authentication (2FA) back in 2018, and whichever way you spin it — probably no more than 20% of the internet giant’s expansive userbase are choosing to operate safely of their own volition.

It’s problematic to equate the Google users’ figures with online service users at large: many services such as banking, online payments, and governmental procedures like passport application require MFA, or at the least 2FA. But these are the aspects of life few can do without.

The ironic difference is that when non-essential account access is made more “difficult” by some form of multifactor authentication, many users seek “simpler” alternatives. That’s a fact confirmed by Google’s Grzegorz Milka, speaking to The Register after Usenix’s Enigma conference back in 2018: “The answer is usability. It’s about how many people would we drive out if we force them to use additional security.”

There’s an obvious difference between being mandated to use 2FA for an essential service, and opting not to for non-essentials such as a personal Google Drive, for instance. But it’s arguable that certain online services are not optional in the workplace: stop reading your company emails or writing the documents you’re paid to is a choice, but one that only lottery winners would take. So it could be argued, therefore, that stipulating MFA for Office 365, for example, would be a no-brainer.

However, according to Marcus Kuber, CEO of Specops Software, writing in VentureBeat in 2018, “When we asked respondents why they were not using MFA to protect the Office 365 login, the majority of respondents pointed to the potential negative impact on the user experience as the primary reason. Other reasons included set up complexity, separate billing/pricing/ licensing, and a lack of MFA options.”

Office 365 is a product seen as a mandatory part of working life, so organizations might feel they can enforce a 2FA policy to access it and other tools provided to get a day’s work done.

The costs to businesses of implementing 2FA fall into three distinct categories: operational costs (calls to helpdesks, maintaining MFA infrastructure), HR issues (staff grumbling that their lives are being made more difficult), and set up costs (buying smart cards, USB keys, 2FA app licenses).

As is the constant trope in cybersecurity, these costs, even combined, pale into insignificance compared to those caused by a dedicated and successful cyber attack. User error and ensuing account compromise, poor cyber hygiene, and lack of enforced password policies are by far the biggest cause of cyber incursion. The biggest, often oblivious threats to any business, walk around on two legs.

The imperative underlying every technology service provider is to attract and keep users. If those users are made to jump through hoops — albeit for their own good or the good of their employer — then the danger is that they will start looking around for easier alternatives. It’s human nature: cod evolutionary theory states that “easy” equals “better” (physiologically speaking, “easier” expends less energy, thus decreasing the need for food).

The best compromise that organizations can make is to plow energy and resources into the twin projects of incentivization and education. On the former score, LastPass’s consummate move was to offer free friends & family password manager licenses to business license holders — but incentivizing staff individually inside the organization will require a good deal more inspiration.

With regards to user education, monetary investment is pretty much unavoidable: pulling staff away from tasks to undertake a little learning will hit productivity figures negatively. But the cybersecurity trope still holds: it’ll be cheaper than being hacked.

Google is only implementing its enforced use of MFA for choice accounts, whose holders, the company feels, can cope with the technical overhead of authenticating twice and whose accounts have backups in place (in case they are locked by failed login attempts). Apple has gone much further than Google in pushing MFA to access its services, but its offerings are held to be attractive enough that doing so does not drive too many away from its walled garden. Furthermore, Apple’s PR people have been pushing the “Apple as arbiter of privacy and security” message, so enforced implementation of MFA can always be justified by that shtick.

Conversely, Google’s lifeblood is the data of its users, so having users leave makes poor business sense. That probably explains why by the end of 2021, it has its eyes set on such a low target of 152 million more using MFA to access their Google and YouTube accounts.