While it may be frustrating to have to remember multitudes of passwords, have your accounts linked to your mobile number, or set up two-factor authentication, Google has released data showing just how effective some of these security techniques truly are.
Google’s Security Blog has published research on the effectiveness of “basic account hygiene”, finding that “simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during [the] investigation”.
The research was formulated from two different studies, conducted in conjunction with the New York University and the University of California, San Diego, focusing on wide-scale attacks and targeted attacks respectively.
A look inside Google’s security team
The blog post details the automatic account security measures that Google employs – these include ‘knowledge-based challenges’ such as verifying the last sign-in location of your device, the associated phone number and secondary email addresses.
While these weaker challenges prove successful in blocking most automated bot attacks, they are significantly weaker against both bulk phishing and targeted attacks.
However, ‘device-based challenges’ thwarted almost every automated or bulk phishing attack that was thrown up against it, and performed considerably better against targeted attacks.
These challenges include sending an SMS code or an on-device prompt to your associated mobile device, or alternatively using a designated security key such as YubiKey or Google’s own Security Key, which was the only method tested that had a 100% prevention rate across the board.
Yubico launches Security Key NFC and previews Yubikey for Lightning
Google reveals its super-secure Security Key
On the flipside, Google recognized that there is an inherent downside to requiring a recovery number or associated device – “in an experiment, 38% of users did not have access to their phone when challenged. Another 34% of users could not recall their secondary email address”. This, alongside the “additional friction” introduced by such challenges, is why Google hasn’t made such security compulsory for accounts.