Google’s own data proves two-factor is the best defense against most account hacks

Every once in a while someone will ask me what is the best security advice.

The long answer is “it depends on your threat model,” which is just a fancy way of saying what’s good security advice for the vast majority isn’t necessarily what nuclear scientists and government spies require.

My short answer is, “turn on two-factor.” Yet, nobody believes me.

Ask almost any cybersecurity professional and it’ll likely rank as more important as using unique or strong passwords. Two-factor, which adds an additional step in your usual log-in process by sending a unique code to a device you own, is the greatest defense between a hacker and your online account data.

But don’t take my word for it. Google data out this week shows how valuable even the weakest, simplest form of two-factor can be against attacks.

The research, with help from New York University and the University of California, San Diego, shows that any device-based challenge — such as a text message or an on-device prompt — can in nearly every case prevent the most common kind of mass-scale attacks.

Google’s data showed having a text message sent to a person’s phone prevented 100 percent of automated bot attacks that use stolen lists of passwords against login pages and 96 percent of phishing attacks that try to steal your password.

Account takeover preventing rates by challenge type. (Image: Google)

Not all two-factor options are created equal. We’ve explained before that two-factor codes sent by text message can be intercepted by semi-skilled hackers, but it’s still better than not using two-factor at all. Its next best replacement, getting a two-factor code through an authenticator app on your phone, is far more secure.

Only a security key, designed to protect the most sensitive accounts, prevented both automated bot and phishing attacks but also highly targeted attackers, typically associated with nation states. Just one in a million users face targeted attackers, Google said.

For everyone else, adding a phone number to your account and getting even the most basic two-factor set up is better than nothing. Better yet, go all in and shoot for the app.

Your non-breached online accounts will thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s