Logically, two-factor authentication (2FA) and two-step verification (2SV) — the difference is subtle but significant, and Google's implementations count as both — should make accounts less easy for hackers to target, but it’s a theory that’s tricky to actually prove in practice.
Google now has some pretty strong evidence to back up what it has — and we have — always insisted: 2FA works and is something that everyone should enroll into, even if it does add a bit of friction to account logins.
In a blog post yesterday (Feb. 8) written by Guemmy Kim, director of account security and safety at Google, the company revealed the staggering result of automatically enrolling accounts into its 2FA/2SV program: a 50% decrease in account takeovers.
How Google 2FA works
After you log into your Google account with the correct password on a new device, Google gives you several different ways with which you can back up that password:
- by entering a temporary code texted to your phone via SMS (the easiest but least secure form of 2FA)
- by entering a temporary code generated by the Google Authenticator app (or compatible apps)
- by tapping OK on a push notification sent via the internet to your smartphone
- by inserting a physical security key into a PC or phone's USB port
- by pushing a button on a Bluetooth-based physical security key (which can be a smartphone) near a Bluetooth-enabled computer
- by tapping an NFC-based physical security key against a compatible phone
Double the security, half the harm
After 150 million Google account holders (selected because their smartphones could receive push notifications) and 2 million YouTube creators were forced into using 2FA/2SV starting in the middle of 2021, Kim said the company saw a 50% reduction in Google accounts being compromised among the users who had 2FA/2SV enabled.
“This decrease speaks volumes to how effective having a second form of verification can be in protecting your data and personal information,” wrote Kim.
She then outlined how Google was trying to ensure that “higher security doesn’t have to mean less convenience.”
The technology pioneered by USB security keys, for example, is now supported by “almost every mobile device around the world” thanks to it being built into Android and available on iOS with the Google Smart Lock app.
In other words, your phone can act as a Bluetooth-based physical security key when logging into your Google or Gmail account on a PC or Mac, or even another smartphone.
“Turn on 2SV (or we will!), as it makes all the difference in the event your password is compromised,” Kim urged, while encouraging people to undertake a Google security checkup and enroll in Google Password Manager.
(We disagree about the merits of Google Password Manager, because it depends on Chrome desktop browsers that can often be hacked by common malware.)
Mind the age gap
Most people would agree that Google’s push-notification implementation of 2FA is impressively elegant, and certainly beats having to type out a code from an SMS message (something which is also vulnerable to SIM-swapping and number-porting attacks). But even a gentle implementation of two-factor authentication can be off-putting to those less comfortable with technology.
To use a personal example: When my parents suffered password leaks (as everyone inevitably will — check haveibeenpwned.com to see if your password has been leaked) I quickly realized that evangelizing about the power of password managers was a waste of time.
Instead, I suggested a system whereby passwords could be familiar but complex, using an easily memorable twist based on the account a password was connected to.
Sure, that’s not as safe as a randomly generated password, but it makes passwords less vulnerable to brute-force attacks. It also makes each password unique, which means that one password leak won’t result in all my parents' accounts being exposed to the worst elements of the internet.
This isn’t the tactic I’d recommend to high-reward hacking targets such as celebrities, sports stars or politicians, but for the majority of low-profile internet users it’s better than nothing. When it comes to internet safety, sometimes being a less easy target then the next guy along is good enough.
But if Google’s easier take on 2FA can bring enough people up to a higher standard, then hopefully far fewer people will have their days (or even lives) ruined by hackers and scammers. And that’s something to celebrate.