Google Required 2SV and Account Compromises Fell by 50 Percent

Google revealed today that a recent initiative to require customers to enable 2-Step Verification (2SV) has been incredibly successful: among the over 150 million customers who were auto-enrolled into 2SV since last year, account compromises fell by 50 percent.

“By making all of our products secure by default, we keep more users safe than anyone else in the world, blocking malware, phishing attempts, spam messages, and cyber-attacks,” Google director Guemmy Kim explains. “Last year, we accelerated our journey to eliminating password threats by starting to auto-enroll users in 2-Step Verification (2SV), giving people an extra layer of protection when cybercriminals try to hack into their accounts, by requiring a second form of verification beyond the password.”

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Google says that this decrease speaks volumes about the effectiveness of 2SV and similar multi-factor authentication schemes. (Microsoft’s calls its consumer effort “two-step authentication.”) But it wants to do more. It provides a Security Checkup for Google account holders to help make sure those accounts are as securely configured as possible. It will continue auto-enrolling users into 2SV. And it provides a Password Manager that’s built into Chrome, Android, and the Google App; this Password Manager helps create strong passwords for online accounts, check if they’ve been involved in a breach, verifies the authenticity of sign-in pages before logging you in.

You can learn more at the Google Safety Center.

Tagged with

Share post

Please check our Community Guidelines before commenting

Conversation 17 comments

  • bluvg

    08 February, 2022 - 1:08 pm

    <p>Only 50%? That’s quite disappointing when Microsoft is showing 99.9% for the same stat.</p>

    • asdfasedasdfasdf

      08 February, 2022 - 1:58 pm

      <p>That was my thought, too, when I saw that headline. Seems awful low. I wish they had broken down how those compromises are still occurring.</p><p><br></p>

  • Chris Hedlund

    08 February, 2022 - 3:03 pm

    <p>Does that mean that the other 50% of users were enrolled in 2SV and still got compromised? I’m not I understand this data…</p>

    • IanYates82

      Premium Member
      08 February, 2022 - 3:53 pm

      <p>No. It means if they knew about 1000 compromised accounts per year prior to this change, they’re saying there’s only 500 compromises per year now after the change. </p><p><br></p><p>Obviously 1000 is probably more like 500000.</p><p><br></p><p>As for how they know an account is compromised? Probably support tickets </p>

      • hrlngrv

        Premium Member
        08 February, 2022 - 10:52 pm

        <p>Wouldn’t that imply that if users not using 2SV had practiced safer computing recently, their safer usage could explain the drop in compromises overall? I’m not saying that’s the case, and I’m not saying 2SV doesn’t provide more security, I’m just saying <em>as a logical proposition</em> that without more details, saying 2SV produced safer computing, given the facts in the article, is post hoc ergo propter hoc reasoning.</p><p><br></p><p>The big question is how big is the TOTAL user base which contains the 150m autoenrolled. If it were, say, 3b, then 2SV would unlikely be the main reason for the 50% reduction in compromised systems.</p>

        • hrlngrv

          Premium Member
          08 February, 2022 - 10:55 pm

          <p>To be even clearer, 2SV/2FA for anything involving money, healthcare records, employment, family makes sense. 2SV/2FA for dropping effectively anonymous comments here, on reddit, etc is less valuable to me.</p>

  • dftf

    08 February, 2022 - 3:20 pm

    <p>I currently use SMS-based 2FA (yes, SIM-hijack attacks, spoofed-numbers… I’m aware of the risks!), as I’ve known friends who use the authenticator apps who’ve ran into issues with them (e.g. needed to reinstall the app or reset their phone, or bought a new phone and lost access) and then found it a complete pain to re-gain access to their various accounts.</p><p><br></p><p>Can anyone reccomend a good authenticator-app and perhaps explain how to me what recovery safeguard it offers, briefly — one-time recovery codes, perhaps, or maybe a code sent to both an SMS number and e-mail address or something?</p><p><br></p><p>I know I should move to an app from SMS… but I don’t like the idea of something going wrong and then having a nightmare trying to regain access to online accounts.</p>

    • BLeduc

      Premium Member
      08 February, 2022 - 3:32 pm

      <p>Microsoft Authenticator back ups your accounts in the cloud.</p>

      • bluvg

        08 February, 2022 - 3:44 pm

        <p>But forehead-slappingly, inexplicably, dumbfoundingly (and just plain dumb)… for personal (MSA) accounts only.</p>

      • dftf

        08 February, 2022 - 5:16 pm

        <p>Okay, two follow-up questions please:</p><p><br></p><p><strong>(1) </strong>When you move onto a new phone, what do you have to do to make the app work again? Do you just sign into it with the e-mail address and password, or is anything-more involved?</p><p><br></p><p><strong>(2) </strong>Do all sites you use with 2FA support the <em>Microsoft Authenticator</em> app, or do some not support it?</p>

        • christianwilson

          Premium Member
          08 February, 2022 - 8:32 pm

          <p>On iOS, the iCloud backup of your phone will recover your Microsoft Authenticator configuration. I’m sure it is the same on Android. The only account that won’t backup properly are business/enterprise Azure AD accounts. Those have to be re-enrolled. Kind of annoying but not the end of the world. </p><p><br></p><p>Everything I have come across is compatible with Microsoft Authenticator. </p>

          • dftf

            09 February, 2022 - 6:42 am

            <p>From review sites I’ve checked, <em>Google Authenticator </em>is one to avoid, as it doesn’t do any backups to your <em>Google Account</em>, only to an encrypted local-file (I think). And to transfer, you have to make a QR code appear on your old phone, then scan it on the new one. So no-good if you were to lose your current phone, or it was to ever stop powering-on.</p><p><br></p><p>(Pity, as otherwise it’s a tiny-sized app with a clean UI.)</p>

        • jupast

          09 February, 2022 - 2:10 pm

          <p>For Microsoft Authenticator if you install the app on a new phone, there’s a restore from (cloud) backup option from what I recall. </p><p><br></p><p>It’s a pretty simple process, and (from memory) there’s a guide within the app to step you through it. </p>

    • wattsvilleblues

      08 February, 2022 - 4:53 pm

      <p>I use Authy – it exists on iOS, Android and Windows, and allows syncing between those platforms. Microsoft Authenticator, so far as I know, requires using iCloud on iOS, which stops it being a multi-platform option.</p>

      • dftf

        08 February, 2022 - 5:14 pm

        <p>If you get a new phone, then what do you do on the new one to make <em>Authy </em>work again? Just sign in with an e-mail address and password or anything more to it?</p><p><br></p><p>Also, does that app work with all app-authentication supported sites (as some examples: GMail, Office Online, Amazon, eBay, Uber, WhatsApp, GitHub), or do some sites only work with specific authenticator apps?</p>

    • bluvg

      08 February, 2022 - 5:31 pm

      <p>For what it’s worth, LastPass Authenticator can backup to your LastPass vault. If you get a new phone, you can then restore LP Authenticator from your vault.</p>

  • jupast

    09 February, 2022 - 2:11 pm

    <p>For a second there I was like 2SV, what’s that? Then realized it’s 2FA, because we can’t even manage a standard name for this either. </p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC