Google Required 2SV and Account Compromises Fell by 50 Percent

Posted on February 8, 2022 by Paul Thurrott in Android, Cloud, Google, Google Chrome, Mobile with 17 Comments

Google revealed today that a recent initiative to require customers to enable 2-Step Verification (2SV) has been incredibly successful: among the over 150 million customers who were auto-enrolled into 2SV since last year, account compromises fell by 50 percent.

“By making all of our products secure by default, we keep more users safe than anyone else in the world, blocking malware, phishing attempts, spam messages, and cyber-attacks,” Google director Guemmy Kim explains. “Last year, we accelerated our journey to eliminating password threats by starting to auto-enroll users in 2-Step Verification (2SV), giving people an extra layer of protection when cybercriminals try to hack into their accounts, by requiring a second form of verification beyond the password.”

Google says that this decrease speaks volumes about the effectiveness of 2SV and similar multi-factor authentication schemes. (Microsoft’s calls its consumer effort “two-step authentication.”) But it wants to do more. It provides a Security Checkup for Google account holders to help make sure those accounts are as securely configured as possible. It will continue auto-enrolling users into 2SV. And it provides a Password Manager that’s built into Chrome, Android, and the Google App; this Password Manager helps create strong passwords for online accounts, check if they’ve been involved in a breach, verifies the authenticity of sign-in pages before logging you in.

You can learn more at the Google Safety Center.

Tagged with

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (17)

17 responses to “Google Required 2SV and Account Compromises Fell by 50 Percent”

  1. bluvg

    Only 50%? That's quite disappointing when Microsoft is showing 99.9% for the same stat.

  2. dftf

    I currently use SMS-based 2FA (yes, SIM-hijack attacks, spoofed-numbers... I'm aware of the risks!), as I've known friends who use the authenticator apps who've ran into issues with them (e.g. needed to reinstall the app or reset their phone, or bought a new phone and lost access) and then found it a complete pain to re-gain access to their various accounts.


    Can anyone reccomend a good authenticator-app and perhaps explain how to me what recovery safeguard it offers, briefly -- one-time recovery codes, perhaps, or maybe a code sent to both an SMS number and e-mail address or something?


    I know I should move to an app from SMS... but I don't like the idea of something going wrong and then having a nightmare trying to regain access to online accounts.

    • bluvg

      For what it's worth, LastPass Authenticator can backup to your LastPass vault. If you get a new phone, you can then restore LP Authenticator from your vault.

    • wattsvilleblues

      I use Authy - it exists on iOS, Android and Windows, and allows syncing between those platforms. Microsoft Authenticator, so far as I know, requires using iCloud on iOS, which stops it being a multi-platform option.

      • dftf

        If you get a new phone, then what do you do on the new one to make Authy work again? Just sign in with an e-mail address and password or anything more to it?


        Also, does that app work with all app-authentication supported sites (as some examples: GMail, Office Online, Amazon, eBay, Uber, WhatsApp, GitHub), or do some sites only work with specific authenticator apps?

    • BLeduc

      Microsoft Authenticator back ups your accounts in the cloud.

      • dftf

        Okay, two follow-up questions please:


        (1) When you move onto a new phone, what do you have to do to make the app work again? Do you just sign into it with the e-mail address and password, or is anything-more involved?


        (2) Do all sites you use with 2FA support the Microsoft Authenticator app, or do some not support it?

        • jupast

          For Microsoft Authenticator if you install the app on a new phone, there's a restore from (cloud) backup option from what I recall.


          It's a pretty simple process, and (from memory) there's a guide within the app to step you through it.

        • christianwilson

          On iOS, the iCloud backup of your phone will recover your Microsoft Authenticator configuration. I’m sure it is the same on Android. The only account that won’t backup properly are business/enterprise Azure AD accounts. Those have to be re-enrolled. Kind of annoying but not the end of the world.


          Everything I have come across is compatible with Microsoft Authenticator.

          • dftf

            From review sites I've checked, Google Authenticator is one to avoid, as it doesn't do any backups to your Google Account, only to an encrypted local-file (I think). And to transfer, you have to make a QR code appear on your old phone, then scan it on the new one. So no-good if you were to lose your current phone, or it was to ever stop powering-on.


            (Pity, as otherwise it's a tiny-sized app with a clean UI.)

      • bluvg

        But forehead-slappingly, inexplicably, dumbfoundingly (and just plain dumb)... for personal (MSA) accounts only.

  3. Chris Hedlund

    Does that mean that the other 50% of users were enrolled in 2SV and still got compromised? I'm not I understand this data...

    • IanYates82

      No. It means if they knew about 1000 compromised accounts per year prior to this change, they're saying there's only 500 compromises per year now after the change.


      Obviously 1000 is probably more like 500000.


      As for how they know an account is compromised? Probably support tickets

      • hrlngrv

        Wouldn't that imply that if users not using 2SV had practiced safer computing recently, their safer usage could explain the drop in compromises overall? I'm not saying that's the case, and I'm not saying 2SV doesn't provide more security, I'm just saying as a logical proposition that without more details, saying 2SV produced safer computing, given the facts in the article, is post hoc ergo propter hoc reasoning.


        The big question is how big is the TOTAL user base which contains the 150m autoenrolled. If it were, say, 3b, then 2SV would unlikely be the main reason for the 50% reduction in compromised systems.

        • hrlngrv

          To be even clearer, 2SV/2FA for anything involving money, healthcare records, employment, family makes sense. 2SV/2FA for dropping effectively anonymous comments here, on reddit, etc is less valuable to me.

  4. jupast

    For a second there I was like 2SV, what's that? Then realized it's 2FA, because we can't even manage a standard name for this either.

Leave a Reply