Recent reports reveal that typical users are shockingly vulnerable to having their accounts compromised. With less than 10 percent of active Google accounts having two-step verification enabled and only 3.1 percent of users enabling two-factor authentication after having recovered an account, the possibility of a user having their account hijacked or falling victim to a phishing attempt are all the more real.
Check out the blog post for the full scoop:
https://duo.com/blog/two-step-verification-or-two-factor-90-dont-use-it-to-protect-gmail