Google's own data proves that two factors are the best defense against most account piracy – TechCrunch

From time to time, someone asks me what is the best safety advice.

The long answer is "it depends on your threat model", which is only an elegant way of saying that good security advice for the vast majority is not necessarily what nuclear scientists and spies government need.

My short answer is "turn on two factors". Yet, nobody believes me.

Talk to any cybersecurity professional and it will probably be more important than using unique or strong passwords. The dual factor, which adds an extra step to your usual login process by sending a unique code to a device you own, is the best defense between a hacker and your online account data.

But do not believe me on my word. This week's Google data shows how the simplest and simplest two-factor form can be useful against attacks.

Research, with the help of the University of New York and the University of California at San Diego, shows that any challenge based on a device, such as a text message or a prompt on the device, can in almost all cases prevent the most common type of mass attacks to the scale.

Google's data indicated that an SMS sent to a person's phone prevented 100% of automated attacks using stolen password lists against login pages and 96% of phishing attacks aimed at stealing your password. password.

All two-factor options are not equal. We have already explained that SMS two-factor codes can be intercepted by semi-skilled hackers, but that it is always better than not using two-factor factors. Its best replacement, getting a two-factor code via an authentication application on your phone, is much more secure.

Only a security key, designed to protect the most sensitive accounts, prevented both automated bots and phishing attacks, but also highly targeted attackers, typically associated with nation-states. One in a million users only face targeted attackers, Google said.

For all others, it's best to add a phone number to your account and get the most basic two-factor setup. Better yet, go ahead and shoot for the application.

Your non-violated online accounts will thank you.