Fewer than one in 10 active Gmail users have enabled two-factor authentication, a free security measure meant to protect accounts against unauthorized access, a Google software engineer revealed Wednesday.

The feature works by safeguarding accounts with two separate sets of credentials: the user's password, and an auxiliary code that's sent to their cellphone immediately following an attempted log-in.

When enabled correctly, an account protected by two-factor authentication can't be compromised unless an attacker has both their victim's password and secondary device, effectively adding an extra layer of security between users and hackers.

Despite its benefits, Google software engineer said during a presentation at the Usenix's Enigma 2018 security conference Wednesday that less than 10 percent of active Google accounts use two-step authentication.

"The question is, why wouldn't we make two-factor authentication mandatory?" Google's Grzegorz Milka asked during his presentation, Gizmodo reported. "The answer is usability. In the end, we want people to use their accounts. How many people would we drive out of using Google accounts if we force them to use additional security?"

"It's perceived as an unnecessary hassle to setup additional security for one's account," Mr. Milka said, PCMag reported, adding: "The truth is such obvious security mechanisms just don't get adopted on a wide enough scale."

While Mr. Milka said less than 10 percent of Gmail accounts have enabled two-factor authentication, a recent study conducted by Duo, an Ann Arbor-based security firm, concluded that about 28 percent of Americans use the feature overall.

More than half of respondents -- 56 percent -- said they hadn't heard of two-factor authentication before the survey, Duo said in its November report.

Google boasted over 1 billion active Gmail users as of February 2016, making it one of the world's most popular free webmail providers.

A personal Gmail account belonging to John Podesta, the manager of Democratic candidate Hillary Clinton's 2016 presidential campaign, was infamously breached in March 2016 and its contents published by WikiLeaks. Mr. Podesta's account was compromised as the result of a phishing attack linked to Russian state-sponsored hackers, according to security researchers, the likes of which may have been thwarted had he enabled two-factor authentication.