Google: Enable 2FA, study shows even SMS 2FA blocks most phishing

Gmail users should enable two-factor authentication but they can improve their defenses significantly just by adding a recovery number to their account, according to Google.

Google research into the efficacy of enabling two-factor authentication has found that even steps before enabling two-factor authentication (2FA) can make a big difference against bots, while dedicated protections like physical security keys are much more effective at warding off determined human attackers.   

On the consumer side, Google, Microsoft and other major identity providers face an uphill battle in convincing users to enable 2FA, even though both firms agree it is the best defense to thwart credential phishing. 

At the same time, neither company wants users not to sign in to their respective services because of a few security road blocks that are designed to protect user accounts but can increase the chances of an account lockout. 

Google last year revealed that just 10 percent of over one billion Gmail users had enabled 2FA as it pushes security keys, such as its own Titan dongles, as the best protection against phishing. 

Microsoft meanwhile last week claimed that “more and more” organizations are enabling 2FA and is encouraging enterprise to go passwordless using Azure Active Directory, the industry-wide WebAuthn standard and its own Windows Hello authentication technology on Windows 10 devices.   

But Google researchers have published two papers that suggest users could benefit by taking small steps towards 2FA, even without enabling it. One looked at indiscriminate, mass attacks on Gmail accounts while the other explored more challenging targeted attacks against Gmail accounts.     

The good news for most consumers is that even without setting up 2FA in Gmail, Google can help block the majority of phishing attacks if a user adds an account recovery phone number to their Google Account. This is one of the questions in Google’s security checkup feature.  

That’s possible due to on-device challenges that act as a second proof of identity and allow Google to present users different challenges based on a model of risk factors associated with a device that’s being used to sign in to an account. 

Google’s mix of challenges include “proof of access to a registered device, proof of access to a backup account, knowledge of a shared secret (e.g., a security question), or merely proof of access to a scarce resource (e.g., a CAPTCHA)”.  

Doing this enables Google to completely block automated bots, as well as block 99 percent of bulk phishing attacks, and 66 percent of targeted attacks.

“If you’ve signed into your phone or set up a recovery phone number, we can provide a similar level of protection to 2-Step Verification via device-based challenges. We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks,” explain Kurt Thomas and Angelika Moscicki, two of the Google researchers who contributed to the papers. 

On-device prompts, which require 2FA be enabled, didn’t change much for general phishing attacks but closed the gap on targeted attacks, raising the block rate from 76 percent to 90 percent. 

In cases where a user hasn’t set up a recovery phone number, Google resorts to “weaker knowledge-based challenges”, such as asking the user where the location they last signed in from. It was effective against bots, but the rate dropped to 10 percent for bulk phishing attacks. 

Adding to the 2FA adoption conundrum, there are multiple forms of the second “step” or “factor”— that being something you physically possess, such as a phone or dongle, in addition to something you know, like a username and password. 

At the low end, security-wise, there’s one-time codes delivered via SMS to a phone, delivered over the insecure channel of public mobile networks to a device the user possesses. Moving up from there are on-device notifications via an app on a phone or computer. And then there’s the gold-standard of buying physical cryptographic security keys, like a Yubikey or Google’s Titan keys.