Two-factor authentication or 2FA as it is also called is an extremely important part of your online security. One could even say that these three words are the most important factors for keeping you and your accounts safe.
But how safe is safe? Sure, it is a good idea, but does having 2FA enabled on your Google Account, Facebook, or even your Avira Account make an measurable difference? Google set out to measure just this question and came up with some interesting results.
They found that just adding a recovery phone number to a Google Account could block up to 100% of automated bots, 99% of bulk-phishing attacks, and 66% of targeted attacks. And that is just the start – Google swears that these figures can also be easily improved.
Some factors are better than other factors
They divided their prevention rates by device-based challenges and knowledge-based challenges. The first category includes on-device prompts, SMS codes, and security keys. Knowledge based challenges included things like secondary emails, phone numbers, and last-sign-in locations.
Device-based challenges scored highest all around – especially against targeted attacks. By altering the specific type of that second authentication factor – shifting from the usual secondary email or phone number to an on-device prompt or a security key, defenses against targeted phishing attacks went to 90% and higher.
It still is a matter of (your) choice
So why not make it mandatory? Google said that the issue is friction. It slows things down, particularly for the 38% of users without their phones when challenged or the 34% that could not recall their secondary email address. People do tend to get upset when locked out of their accounts.
It’s not about the bot
The looming security issue for Google is not a sophisticated automated bot. The real issue for Google – and for many people in the security sector – are spearphishing attacks where hackers design specific emails and tricks for targeting an individual or group. Thanks to the never-ending stream of data breaches, hackers already have a huge source of information posted on the dark web for making their phish look real.
Tweak your factors
If you are not using basic 2FA with a secondary phone or email – please do. And if you are, you might want to up your privacy and security game a bit more by adding security keys, an on-device prompt, or a password manager to handle your login details.
Getting locked out of an account is one time-waster. Having your identity snatched is a far greater waste of your limited time.