In brief: Not everyone sets up security measures such as recovery phone numbers, but Google has just published evidence showing how effective this technique is when it comes to keeping accounts secure.
The tech giant teamed up with researchers from New York University and the University of California, San Diego, for a year-long study on the effectiveness of basic account hygiene at preventing hijacking. It looked into 350,000 hijacking attempts on 1.2 million users across Google's 14 different login challenges.
If you haven’t linked your Google account to your phone, you might want to do it now. During the investigation, it was found that this measure can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks.
Google says it provides an automatic layer of security against account hijacking by asking for additional proof of a user’s identity if it detects a suspicious sign-in. This includes confirming they have access to a trusted phone or asking a question only the user knows the answer to.
The study found using an SMS code sent to a recovery phone blocked 76% of targeted attacks, 96% of bulk phishing, and 100% of automated bots. While the more secure, on-device prompts prevented 90% of targeted, 99% of bulk, and 100% of automated attacks.
For those without recovery phones, using knowledge-based challenges such as recalling the last sign-in location can be effective against bots, but it drops protection rates against phishing as low as 10%.
Using recovery numbers or associated devices doesn’t come without its own problems. “In an experiment, 38% of users did not have access to their phone when challenged. Another 34% of users could not recall their secondary email address,” wrote Google. This increases the chance of a lockout, which is why Google doesn’t require challenges for all account sign-ins.
For those who want the highest level of security, the best option is a physical security key, which offered 100% protection against bots, phishing, and targeted attacks. This is despite a recent security issue impacting select Google Bluetooth Titan Keys that forced a recall.