Latest in Gear

Image credit:

Google stats show how much a recovery number prevents phishing

And that for most, multifactor via device prompt is as effective as a key.
391 Shares
Share
Tweet
Share
Save

Sponsored Links

In case you haven't already set up a recovery phone number for your Google account, and enabled extra security features like multifactor authentication, the search giant is using hard data to explain why you should. Interestingly, studies (1)(2) researchers presented this week at The Web Conference found that simply adding a recovery phone number to an account blocked 100 percent of automated attacks, 99 percent of bulk phishing attacks and 66 percent of targeted attacks during the period they investigated.

That's why you should take advantage of a tool like the Security Checkup now, while your account is still secure, and get at least that level of protection enabled.

Google Security

While SMS verification can be defeated by a targeted attack, Google's ability to do things like send a prompt to a connected phone or have users verify where they last log in also help block sign-ins it thinks are suspicious. If you're logging in on a brand new device or from a new location, then you should expect a little more scrutiny, however because 38 percent of users didn't have access to their phone, and 34 percent couldn't get to a secondary email address, the worry is that requiring challenges all the time will increase account lockouts.

Google

According to the Google data, "hack for hire" attacks that impersonate familiar people or Google itself are incredibly rare, but can include multiple attempts even after an initial message is rebuffed. That's where steps like its Advanced Protection Program -- that requires a user to setup two hardware keys and use one of them to login all the time -- come in handy.

Mirroring the results Google has seen since requiring employees to use hardware keys, researchers said zero users who exclusively use security keys -- despite the presence of a flaw that's caused a recall of Google's Bluetooth Titan Key -- had fallen victim to targeted phishing. Limiting the attack surface based on physical proximity, and because a site has to verify itself to the security key, keeps phishing attacks at bay, even for people who are being targeted specifically.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
391 Shares
Share
Tweet
Share
Save

Popular on Engadget

Netflix is giving Line's cute mascots their own animated series

Netflix is giving Line's cute mascots their own animated series

View
Sling TV's Cloud DVR can finally record ESPN

Sling TV's Cloud DVR can finally record ESPN

View
'Forza Horizon 4' is getting a 72-car battle royale mode

'Forza Horizon 4' is getting a 72-car battle royale mode

View
What's coming to Netflix in January: hello 'Sabrina,' goodbye 'Friends'

What's coming to Netflix in January: hello 'Sabrina,' goodbye 'Friends'

View
The Game Awards will run a 48-hour demo 'festival'

The Game Awards will run a 48-hour demo 'festival'

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr