Latest in Gear

Image credit:

Google stats show how much a recovery number prevents phishing

And that for most, multifactor via device prompt is as effective as a key.
388 Shares
Share
Tweet
Share
Save

Sponsored Links

In case you haven't already set up a recovery phone number for your Google account, and enabled extra security features like multifactor authentication, the search giant is using hard data to explain why you should. Interestingly, studies (1)(2) researchers presented this week at The Web Conference found that simply adding a recovery phone number to an account blocked 100 percent of automated attacks, 99 percent of bulk phishing attacks and 66 percent of targeted attacks during the period they investigated.

That's why you should take advantage of a tool like the Security Checkup now, while your account is still secure, and get at least that level of protection enabled.

Google Security

While SMS verification can be defeated by a targeted attack, Google's ability to do things like send a prompt to a connected phone or have users verify where they last log in also help block sign-ins it thinks are suspicious. If you're logging in on a brand new device or from a new location, then you should expect a little more scrutiny, however because 38 percent of users didn't have access to their phone, and 34 percent couldn't get to a secondary email address, the worry is that requiring challenges all the time will increase account lockouts.

Google

According to the Google data, "hack for hire" attacks that impersonate familiar people or Google itself are incredibly rare, but can include multiple attempts even after an initial message is rebuffed. That's where steps like its Advanced Protection Program -- that requires a user to setup two hardware keys and use one of them to login all the time -- come in handy.

Mirroring the results Google has seen since requiring employees to use hardware keys, researchers said zero users who exclusively use security keys -- despite the presence of a flaw that's caused a recall of Google's Bluetooth Titan Key -- had fallen victim to targeted phishing. Limiting the attack surface based on physical proximity, and because a site has to verify itself to the security key, keeps phishing attacks at bay, even for people who are being targeted specifically.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
388 Shares
Share
Tweet
Share
Save

Popular on Engadget

Korg Volca Modular synth review: As weird as it is affordable

Korg Volca Modular synth review: As weird as it is affordable

View
Lawmakers urge the FCC to seek public input on T-Mobile / Sprint merger

Lawmakers urge the FCC to seek public input on T-Mobile / Sprint merger

View
YouTube Originals will be free to watch starting on September 24th

YouTube Originals will be free to watch starting on September 24th

View
Nintendo will replace a newly purchased Switch with newer model

Nintendo will replace a newly purchased Switch with newer model

View
Amazon sent 20 order confirmations to the wrong people

Amazon sent 20 order confirmations to the wrong people

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr