Latest in Gear

Image credit:

Google stats show how much a recovery number prevents phishing

And that for most, multifactor via device prompt is as effective as a key.
391 Shares
Share
Tweet
Share
Save

Sponsored Links

In case you haven't already set up a recovery phone number for your Google account, and enabled extra security features like multifactor authentication, the search giant is using hard data to explain why you should. Interestingly, studies (1)(2) researchers presented this week at The Web Conference found that simply adding a recovery phone number to an account blocked 100 percent of automated attacks, 99 percent of bulk phishing attacks and 66 percent of targeted attacks during the period they investigated.

That's why you should take advantage of a tool like the Security Checkup now, while your account is still secure, and get at least that level of protection enabled.

Google Security

While SMS verification can be defeated by a targeted attack, Google's ability to do things like send a prompt to a connected phone or have users verify where they last log in also help block sign-ins it thinks are suspicious. If you're logging in on a brand new device or from a new location, then you should expect a little more scrutiny, however because 38 percent of users didn't have access to their phone, and 34 percent couldn't get to a secondary email address, the worry is that requiring challenges all the time will increase account lockouts.

Google

According to the Google data, "hack for hire" attacks that impersonate familiar people or Google itself are incredibly rare, but can include multiple attempts even after an initial message is rebuffed. That's where steps like its Advanced Protection Program -- that requires a user to setup two hardware keys and use one of them to login all the time -- come in handy.

Mirroring the results Google has seen since requiring employees to use hardware keys, researchers said zero users who exclusively use security keys -- despite the presence of a flaw that's caused a recall of Google's Bluetooth Titan Key -- had fallen victim to targeted phishing. Limiting the attack surface based on physical proximity, and because a site has to verify itself to the security key, keeps phishing attacks at bay, even for people who are being targeted specifically.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
391 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's Guide to Privacy

Engadget's Guide to Privacy

View
Disney+ public pre-orders are open, but without deep bundle discounts

Disney+ public pre-orders are open, but without deep bundle discounts

View
Facebook's Libra currency will get half its backing from the US dollar

Facebook's Libra currency will get half its backing from the US dollar

View
AMD delays 16-core Ryzen 9 CPU to November

AMD delays 16-core Ryzen 9 CPU to November

View
Erica's modular synth helps you make music with preset cards

Erica's modular synth helps you make music with preset cards

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr