It makes it harder for people to break into your account, even if they have your login details

One of Gmail’s most effective security features is hardly used by anyone, Google has revealed.

Two-factor authentication (2FA) has been enabled on less than 10 per cent of active Google accounts, the company says.

The feature is designed to make it much harder for people to break into your account, even if they have your email address and password.

With 2FA enabled, you’ll be required to enter an authentication code in addition to your login details.

As Google puts it: “You sign in with something you know (your password) and something you have (a code sent to your phone).”

You can turn it on by clicking this link and following Google’s step-by-step instructions.

“Codes are uniquely crafted for your account when you need them,” says Google.

“If you choose to use verification codes, they will be sent to your phone via text, voice call, or our mobile app. Each code can only be used once.”

Asked why 2FA isn’t mandatory on all accounts, Google software engineer Grzegorz Milka said the company fears the feature could turn users off.

“The answer is usability,” he told The Register. “It’s about how many people would we drive out if we force them to use additional security.”

Google lets you choose not to use two-step verification on a particular computer. When you sign into your Gmail account on that computer, it will only ask for your email address and password.
On other computers, two-step verification will be required.

The company recently revealed the biggest risks to users of Google services.

In the space of 12 months, it found 788,000 login credentials stolen via keyloggers (tools that secretly record every key you press), 12 million stolen via phishing (a method of tricking you into giving up your personal information), and 3.3 billion exposed by third-party data breaches.