Google proves that recovery numbers are crucial for account security

Home security
Image credit: Stefan Schweihofer

While it may be frustrating to have to remember multitudes of passwords, have your accounts linked to your mobile number, or set up two-factor authentication, Google has released data showing just how effective some of these security techniques truly are.

Google’s Security Blog has published research on the effectiveness of “basic account hygiene”, finding that “simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during [the] investigation”.

The research was formulated from two different studies, conducted in conjunction with the New York University and the University of California, San Diego, focusing on wide-scale attacks and targeted attacks respectively.

The blog post details the automatic account security measures that Google employs – these include ‘knowledge-based challenges’ such as verifying the last sign-in location of your device, the associated phone number and secondary email addresses. 

While these weaker challenges prove successful in blocking most automated bot attacks, they are significantly weaker against both bulk phishing and targeted attacks. 

Image credit: Google

Image credit: Google

(Image: © Image credit: Google)

However, ‘device-based challenges’ thwarted almost every automated or bulk phishing attack that was thrown up against it, and performed considerably better against targeted attacks. 

These challenges include sending an SMS code or an on-device prompt to your associated mobile device, or alternatively using a designated security key such as YubiKey or Google's own Security Key, which was the only method tested that had a 100% prevention rate across the board.

On the flipside, Google recognized that there is an inherent downside to requiring a recovery number or associated device – “in an experiment, 38% of users did not have access to their phone when challenged. Another 34% of users could not recall their secondary email address”. This, alongside the “additional friction” introduced by such challenges, is why Google hasn’t made such security compulsory for accounts.

If you think your account hygiene isn’t up to scratch, it’s worth taking the time to follow Google’s own five-step solution to staying safer online, which handily provides links to the relevant settings so you can change them right away.