It’s easy to be a security pessimist.
Hackers and data breaches make headlines all over the internet every day. Is there anything an average person can do to protect themselves?
Actually yes. A simple and easy step, such as enabling strong multifactor authentication, turns out to be an extremely effective way to secure your online accounts. A new study from Google, the University of New York, and the University of California, San Diego, shed new light this week on how powerful some protections can be.
The researchers looked at multifactor authentication tools such as physical security keys, the device prompts, and text messaging to find out how these techniques protect you. The conclusion: very well.
The most effective tool you can have to prevent someone from stealing your account is a security key. That way, a site like Google can ask for more proof of who you are beside your password. Companies like Yubico, Feitian and, yes, Google make these security keys.
This technique prevented 100% of attempted attacks on accounts of all kinds in the one-year study. Last year, Google said there has been no breach of its employees’ account since they began using security keys.
This tool is used by journalists, politicians, human rights defenders and people whose cybersecurity can be a matter of life and death. But don’t let this 100% number fool you – not perfect, as Google’s recent incident with its Titan keys and a Bluetooth vulnerability proves – but it’s extremely powerful. And most importantly, the keys are also economically accessible.
Another strong option is the prompt on the device. Many important online accounts allow you to use authenticating apps like Google Authenticator or, like Gmail, in-app prompts that help prove your identity to the platform. This tool fights 100% of automated attacks, 99% of mass phishing attacks, and 90% of specifically targeted attacks, according to research group findings.
Last week we talked about how to text message two-factor authentication is relatively weak compared to easy alternatives. The Google study confirmed this idea: SMS codes are less effective than device prompts or security keys. But they are still much more effective than having no multifactorial authentication. The researchers found that SMS codes countered 100 percent of automated account hijacking attempts, 96 percent of mass phishing attacks, and 76 percent of targeted attacks.
The study also looked at other account attack prevention tools.
“Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation,” wrote the researchers Kurt Thomas and Angelika Moscicki.
Adding a secondary email address is another positive step that makes account hacks much less likely, research shows.
Being pessimistic about security is understandable, but being realistic may be better for your digital health. Stay informed, take some simple and effective measures and stay as well protected as possible.