How Two-Factor Authentication Blocks 100 Percent Of Attacks, According To Google

The process of signing in has never been easier.

With username/email and password combination, the process can differentiate an unwanted hacker from the CEO of the company, for instance. This is why the process has long been sought as the best way to protect information and privacy.

But as technology evolves, that simple signing in process should be made harder for hackers, but still as easy as possible for legitimate users.

This is where two-factor authentication comes in.

With it, users need to have a second device to authenticate their first signing in process. While it's easy to use, it's annoying because people can feel flustered with the extra process. It's like the peak first-world problems, and many people are disliking it.

But considering privacy, if users have any doubt whether the extra process is worth their time, Google answered that keeping people safe by trading off conveniences is priceless.

Google said in a blog post:

"Every day, we protect users from hundreds of thousands of account hijacking attempts. Most attacks stem from automated bots with access to third-party password breaches, but we also see phishing and targeted attacks."

"We teamed up with researchers from New York University and the University of California, San Diego to find out just how effective basic account hygiene is at preventing hijacking."

"Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation."

Google manages this using automation.

When it detects a suspicious sign-in attempt (like from new location or device), Google can ask for additional proof that the user is really who what they say they are. This can be done by confirming that they have access to a trusted phone, or answering a question where only the user knows the correct answer.

Both device- and knowledge-based challenges help Google thwart automated bots, while device-based challenges help Google thwart phishing and targeted attacks

Google continued by saying that:

"We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks. On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks."

How about when users didn't register their recovery phone number? If so, Google may fall back to the weaker knowledge-based challenges, like recalling the person's last sign-in location. To prevent bot logins, this can still be effective, but for phishing, the protection rate can drop to as low as 10%.

This is because phishing pages and targeted attackers can trick users into revealing any additional identifying information Google might ask them for.

Google suggest five tips for users to properly protect their Google account:

  1. Set up a recovery phone number or email address, and keep it updated.
  2. Use unique passwords for your accounts.
  3. Keep your software up to date.
  4. Go a step further by setting up two-factor authentication.
  5. Take the Google Security Checkup.