A Google engineer revealed that more than 90 percent of active Gmail accounts don’t use two-factor authentication (2FA), reports The Register. Given the low uptake, The Register asked Google software engineer Grzegorz Milka why 2FA isn’t mandatory for all Gmail accounts. Milka chalks it up to usability, adding that, “It’s about how many people would we drive out if we force them to use additional security.” The statistic was shared during a presentation at Usenix’s Enigma 2018 security conference in California.

Two-factor authentication is a security tool that requires a user’s password as well as an additional form of authorization. It adds another layer of security if your password has been stolen, or you use the same password for multiple websites. Google offers 2FA through a code that’s sent to your phone via text, voice call, mobile app, or via a Security Key that’s inserted into your computer’s USB port.

The Register reports that more than 10 percent of users trying to enable Google’s 2FA encountered problems inputting an access code sent via SMS. Though 2FA provides meaningful protection and most sites offer 2FA, it does have limits, and methods like SMS authentication are easier to hack than something like a hardware token. Google has previously said it plans to upgrade its two-factor authentication tool after high-profile hacks, but this new service will be aimed at those needing extra security like politicians and executives.