More than 150 million Google users have seen their chance of compromise drop by half following the adoption of two-step verification, a process where users logging in to a Google service will be asked to respond to a push notification sent to a second device, the company said today.
The result is an early sign that Google's effort to boost the overall security of its user base and protect accounts from compromise is paying off. Over the past six months or so, Google has turned on the additional security check for 150 million early adopters using its services and another 2 million YouTube creators, who accounts are especially valuable, the post said.
The company will continue to switch any accounts that are protected with only a username and password over to two-step verification (2SV) and offer more security options as well, says Guemmy Kim, director of account security and safety at Google.
"Once users are in 2SV, there are options for second factors to become even more secure — for example, Google Prompts and Security Keys offer even better protection, and users can 'upgrade' at any time," she says. "At this time, it’s important for us to get users to at least just get started with 2SV."
Eliminating the reliance on passwords is an increasingly important effort by service providers and security firms, especially as more employers moved to adopting remote work during the pandemic, leaving a simple username and password the key to getting inside a company's network. The effort to educate people about the security drawbacks of passwords and benefits of multiple factors of authentication are starting to pay off, especially among younger users. More than two-thirds of people in the United States used two-factor authentication in 2021, up from 28% in 2017. Nearly 80% of workers regularly using some form of the technology.
Microsoft on MFA
Google is not the only company that has documented the success of using a second factor to authenticate users. In a 2019, Microsoft cited research that suggested that nearly all victims of successful compromises did not have two-factor authentication on their accounts.
"[O]ne of the best things you can do is to just turn on MFA [multifactor authentication]," Melanie Maynes, a senior product marketing manager at Microsoft Security, wrote in a blog post. "By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks."
Still, new data from Microsoft's Azure Active Directory Service shows that only around 22% of organizations with Microsoft Active Directory (AD) employ MFA for their user accounts.
The addition of two-step verification and other forms of MFA means that account recovery becomes the next support headache and a potential vector of attacks. For that reason, Google has put additional effort into prompting users to enter in phone numbers and other ways of contacting them, Kim says.
"There is a lot of educating that needs to happen with 2SV and we want users to understand what it is and why it’s beneficial," she says. "We also need to make sure that users’ accounts are set up correctly with a recovery email and phone number so they can avoid account lockouts once 2SV is enforced."
The 50% reduction in successful compromised cited by Google is not comparing two populations but the improvement seen by users once they adopted 2SV, says Kim, who stressed that the improvement is not necessarily a "success rate."
"The data point isn't a one-to-one comparison," she says. Those initial adopters, for example, could be more security-conscious users and have already been more resilient to attack, suggesting that later adopters will benefit more. "We expect to see later cohorts of users be even better protected than they were before, as we continue to auto enroll users in 2SV."
Google intends to continue to push two-step verification as a minimum bar for its users, Kim says.
"Moving into 2022, we’ll continue to auto enroll people and work on casting a wider net by introducing technologies that make 2SV more accessible for everyone," she says. "We’re also actively encouraging users to take that initial step of providing their recovery phone number or email, to enable us to protect them so much better, including by turning on 2SV."
Kim also urged users to use the service's Security Checkup feature to make sure that they have taken all recommended steps to lock down their accounts.