Research shows that 2FA and other basic measures are incredibly effective at preventing account hijacking

Google has published the results of a study of the efficacy of standard anti-account-hijacking techniques like two-factor authentication (2FA), secret questions, and passwords: the good news is that when these are used, they are incredibly effective at stopping both automated and targeted attacks, including "advanced" attacks of the sort that are often characterized as unstoppable.

The research confirms that even comparatively weak 2FA through SMS messages to your phone are very effective, preventing 100% of automated attacks, 96% of bulk phishing attacks, and 76% of targeted attacks.


Using specialized authenticator apps (like Google's Authenticator, which has a by-design weakness that could potentially allow Google or someone with access to its systems to hack you; or stronger apps like Authy) raise the efficacy bar, preventing 99% of bulk attacks and 90% of targeted attacks.


But safest of all are security keys, which were 100% effective against all attacks (!!), confirming the emerging consensus in the security community that these are "game-changers."

Google still recommends that "high-risk users" sign up for advanced protection services, which combine Google's server-side anti-fraud tools with security keys, data minimization, auth codes, and other measures.


The key takeaway here is that security nihilism — the idea that it's impossible to be secure, especially against sophisticated attackers — is based on an inaccurate impression of how well even simple countermeasures work against common attacks. Even taking the most basic steps — turning on 2FA, using a password manager that gives you good passwords — will protect you from the vast majority of attacks, and even if you're a high-risk user, you can protect yourself against the most sophisticated attackers with comparatively little effort.


If you don’t have a recovery phone number established, then we might fall back on the weaker knowledge-based challenges, like recalling your last sign-in location. This is an effective defense against bots, but protection rates for phishing can drop to as low as 10%. The same vulnerability exists for targeted attacks. That’s because phishing pages and targeted attackers can trick you into revealing any additional identifying information we might ask for.

Given the security benefits of challenges, one might ask why we don’t require them for all sign-ins. The answer is that challenges introduce additional friction and increase the risk of account lockout. In an experiment, 38% of users did not have access to their phone when challenged. Another 34% of users could not recall their secondary email address.

If you lose access to your phone, or can’t solve a challenge, you can always return to a trusted device you previously logged in from to gain access to your account.

New research: How effective is basic account hygiene at preventing hijacking [Kurt Thomas and Angelika Moscicki/Google Security Blog]