Keeping your online accounts secure does not need to be difficult, and often implementing a few simple authentication methods will improve your resilience to attacks.
Google has investigated the effects of “basic security hygiene” on account security, and found that taking simple steps can protect your information from being compromised.
The company teamed up with researchers from New York University and the University of California to investigate how effective security measures prevent account hijacking, with their study conducted over the course of a year.
The simplest solution
The results of the investigation show that the easiest way to protect your Google account from attack is to add a recovery phone number.
Implementing this solution can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks, the company said.
Google added that two-step verification (2FA) provides a powerful layer of protection, with on-device prompts being the most effective form of this authentication.
The 2FA SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks.
“On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks,and 90% of targeted attacks.”
The effective takeover prevention rates, which show that device-based challenges are far superior to those based on knowledge, are shown below.
Fallbacks and hacks for hire
Google said that if a user does not have a recovery phone number established, then it may fall back onto knowledge-based challenges.
Knowledge-based challenges could include requests for users to provide information such as their secondary email address or recall their last sign-in location.
This can defend against bot attacks, but is not as effective against phishing or targeted attacks.
These are often part of “hack for hire” attacks, which comprise directed attempts to compromise a single account.
Only around one million Google accounts face this risk, but Google recommends that high-risk users enroll in its Advanced Protection Programme to ensure they are protected.