Google study finds phone numbers offer impressive account protections

Google has published the results of a study it commissioned into the protections afforded by its various account security settings, claiming that something as simple as adding a recovery phone number to your account can have an outsized impact on vulnerability to attack.

Google, which drives eyes to its advertising business through the provision of services ranging from search and email to cloud-powered productivity software and, soon, cloud gaming, has long been looking at ways to protect its users against account hijacking attacks. Its most recent efforts have centred around having a physical device - either a dedicated security key, Bluetooth examples of which the company recent recalled over a security flaw, or a suitable Android smartphone - but a study the company commissioned suggests that something as simple as having an up-to-date account recovery phone number offers a surprising degree of protection.

'Our research shows that simply adding a recovery phone number to your Google Account can block up to 100 percent of automated bots, 99 percent of bulk phishing attacks, and 66 percent of targeted attacks that occurred during our investigation,' Google's Kurt Thomas and Angelika Moscicki write in a blog post detailing the results of the year-long research project, carried out in partnership with New York University and the University of California at San Diego. 'If you’ve signed into your phone or set up a recovery phone number, we can provide a similar level of protection to 2-Step Verification via device-based challenges. We found that an SMS code sent to a recovery phone number helped block 100 percent of automated bots, 96 percent of bulk phishing attacks, and 76 percent of targeted attacks. On-device prompts, a more secure replacement for SMS, helped prevent 100 percent of automated bots, 99 percent of bulk phishing attacks and 90 percent of targeted attacks.

'If you don’t have a recovery phone number established, then we might fall back on the weaker knowledge-based challenges, like recalling your last sign-in location. This is an effective defence against bots, but protection rates for phishing can drop to as low as 10 percent. The same vulnerability exists for targeted attacks. That’s because phishing pages and targeted attackers can trick you into revealing any additional identifying information we might ask for. Given the security benefits of challenges, one might ask why we don’t require them for all sign-ins. The answer is that challenges introduce additional friction and increase the risk of account lockout. In an experiment, 38 percent of users did not have access to their phone when challenged. Another 34 percent of users could not recall their secondary email address.'

Google's guide to keeping an account secure can be found on the company blog.