Regular readers may have noticed that Nodal is a big fan of two-factor authentication. We recommend implementing it on any sensitive accounts to add an extra layer of security to stave off malicious actors.
Google went one step further, teaming up with researchers from New York University and University of California, San Diego to determine just how effective device-based authentication methods were in protecting against three common types of attack:
Automated attacks, generally carried out by bots using databases of previously compromised login credentials
Phishing attempts, where bad actors attempt to trick users into providing login information to seemingly-legitimate persons
Targeted attacks, where a hacker directly attempts to force entry onto the system.
They compared these results against “knowledge-based” challenges, such as providing a known phone number, secondary email address or your last login location. The results are compelling:
While knowledge-based challenges are largely effective at preventing automated bot attacks, they falter against phishing attempts and targeted attacks. This is largely because information such as phone numbers, email addresses, and last-login location information may be available to hackers elsewhere - social media accounts, professional websites, online directories, etc.
On the other hand, challenges tied directly to a physical device are nearly foolproof. SMS codes are a bit more susceptible to hackers due to the fact that SMS messages can be intercepted, SIM cards can be spoofed, or users can be tricked into providing the passcode. But even with those possible vulnerabilities, a 96% effectiveness rate against phishing attempts and a 76% success rate against targeted attacks is still impressive.
For the average user, configuring your device to display login prompt will provide an incredible degree of security with a minimum of inconvenience. Users especially concerned about account security can obtain a dedicated security key device (such as a USB dongle plugged directly into the system), which proved to be 100% effective in preventing unauthorized access in Google’s tests. Bear in mind that hackers are constantly evolving the methods they use to gain access to vulnerable accounts, so it’s important to stay vigilant and continue to follow best practices as technologies change.