Google has teamed up with researchers from New York University and the University of California, San Diego to prove just how effective adding a recovery phone number is at preventing account hijacking.
Google posted the findings of its year-long study on over 350,000 wide-scale and targeted attacks to its Security Blog on May 17.
According to Google, hundreds of thousands of automated bots, phishing attempts and targeted attacks are stopped every day thanks to its authentication system.
There are two types of account authentication that Google uses when it wants to know that you are you – knowledge-based challenges and device-based challenges. These pop up when you sign in to your Google Account on a new device or in an unfamiliar location.
Related: Best VPN
Its investigation showed that responding to a suspicious sign-in attempt by sending an SMS code to a recovery number helped to block 100% of automated bots, 96% of bulk phishing attacks and 76% of targeted attacks.
Meanwhile, Google’s 2-Step Verification on-device prompts were able to prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.
Google has been trying to convince its users to ditch SMS for the more secure on-device prompts since 2017 and this is certainly seems like another step in that direction.
This might be why the report threatens Google “might resort to weaker knowledge-based challenges, such as recalling your last sign-in location”, a method that was only able to prevent 10% of bulk phishing attacks and targeted attacks, if you decide not to give it your phone number.
Notably, the report does not address the more successful knowledge-based challenges in fighting bulk phishing and targeted attacks. Providing a secondary email address, for example, has a higher success rate of preventing targeted attacks than the device-based SMS method.
That being said, it is difficult to argue with the 90% success rate against targeted attacks and 99% against bulk phishing attacks that the on-device prompts were able to achieve – it might be time to give Google your phone number after all.
Google also used the report to plug its Advanced Protection Program, the only form of authentication with a 100% success rate against all three types of attacks. However, this is mostly recommended for high-risk users, such as journalists, activists, business leaders and campaign teams.
If you’re interested in learning more on how to keep your Google account secure, you can check out itsfive tips here.
Editorial independence
Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.
Professional conduct
We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.
Editorial independence
Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.
Professional conduct
We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.
