Everywhere you turn, someone is handing out advice about account security and privacy. And while it never hurts to be reminded about all the ways you can protect your critical data, have you stopped to wonder whether any of the various security measures you’re taking are actually effective?
Google did. In 2019, it teamed up with researchers from New York University and the University of California, San Diego to analyse more than 350,000 different account-hijacking attempts and see how well some of its most basic account-security suggestions protected users’ accounts.
As it turns out, even the most basic of techniques is — to put it in Pokémon terms — super-effective!
For example, consider the most basic security setting you can use with your Google account: adding your phone number as a “Recovery phone” so Google can text you if an account sign-in looks suspicious. Do that, and the results of Google’s study covering wide-scale attacks are pretty clear.
“We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks,” reads Google’s blog post.
Between all that talk of Family Sharing for Apple’s new “Plus” services, and the fact that I finally set up my house’s shared Netflix account on my TV the other day, I think a lot about how to minimise the financial impact of my technological needs.
And that always leads to a conversation with my roommates where I gauge how much they might want to contribute to services that I really want (or vice versa).
Opt-in to an on-device prompt, which requires an attacker to have physical access to your smartphone or tablet to authenticate a login request instead of intercepting your SMS messages or spoofing your SIM, and it’ll be even harder for them to break into your account.
According to the statistics from Google’s study, on-device prompts prevented all attacks from automated bots, 99 per cent of “bulk phishing attacks,” and even more targeted attacks (90 per cent) than if you simply used SMS-based authentication (the aforementioned 76 per cent).
It should come as little surprise that security keys (otherwise known as hardware tokens) ranked as the safest measure you can use to prevent many different kinds of hacking attempts—blocking 100% of the attacks featured in Google’s study.
On the other hand, simply having to enter a piece of information about yourself to authenticate into your account, like a secondary email address you use or your phone number, weren’t generally that effective (save for automated bot attacks).
Not every website or service you use plays well with a hardware token, though. Instead of that, we’re big fans of the Authy app for iOS and Android, which makes it easy to access your login codes for two-factor authentication across all the sites you use them on.
The password-management system 1Password is also a great option for managing your two-factor authentication codes across your sites, and its Watchtower feature is great for seeing which sites you frequent even support two-factor authentication at all.
There’s no reason you shouldn’t be using this—or, at minimum, an SMS-based challenge—for every login, and Google’s study only reemphasises why this is such a big deal for account security.