Google proves two-factor authentication works

Patrick Devaney


Keeping safe online can sometimes feel like a Herculean task. We have a growing number of online accounts and each of them needs a long, complicated, and unique password. If we don’t have them, we’re at risk of exposing multiple accounts should one fall. Add to this the regular data breaches that affect even the biggest companies and it can feel like we must keep on top of it.

Google account

Password managers are a great weapon to wield in this online battle. Once you’ve set one up, they’re easy to use and will automatically set strong passwords for each of your accounts and store them securely.

Strong passwords aren’t enough though. These days there is another important tool that we need to use if we’re to make sure we’re as secure online as we should be. This, of course, is two-factor authentication. You have to confirm your identity on one device by proving who you are on another one. There are even physical devices you can buy that only exist to authenticate your identity.

The problem with two-factor authentication is it’s annoying.

Having to scramble around finding your phone or tablet, whenever you want to do something important online, can be very frustrating. The thing is though, two-factor authentication works and new data from Google proves it.

Research shows it works!

Google teamed up with researchers from New York University and the University of California San Diego. They performed a year-long study looking into various types of cyber-attack and how basic security procedures can block them. The results were striking. The simple act of adding a recovery telephone number blocks every single automated bot attack and 99% of all bulk phishing attempts.

With two-factor authentication, Google was keen to point out the difference between the different types you can use. The first uses a code that is sent by SMS to your nominated recovery phone. You enter it on the site that needs to confirm your identity. In Google’s tests, this type of two-step verification protected against 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted phishing attacks.

results from Google's study

The other type of two-factor authentication uses an on-device prompt. Rather than receiving a code, you receive a button to press that will prove who you are. This type of verification scored even higher than the SMS code type. It protected against 100% of automated bots, 99% of bulk attacks, and an impressive 90% of targeted attacks.

The message here is clear: If you don’t have two-stage verification enabled on the online accounts that offer it, you need to enable it now. Google pointed out in its report that there are other defenses it uses like last sign-in location if you don’t have 2-stage activated. However, protection rates can fall to as low as 10% for these other methods. It is clear that two-factor authentication is the big boss when it comes to online security. If you don’t have it set up, you should do it now.

You may also like