Google Claims Forcing 2FA On 150M User Accounts Led To 50 Percent Fewer Hijacks (2024)
Back in May of last year, we reported on a new campaign by Google to increase user account security through a number of methods. As part of this campaign, Google announced its plans to drive people to use two-factor authentication (2FA), saying that users whose accounts are appropriately configured would begin to be automatically enrolled in 2FA.
Then, in October, Google announced its intentions to enable 2FA for 150 million Google accounts. and 2 million YouTube creators as well, by the end of 2021. We’re now in 2022, and Google’s push to enable 2FA has been a rousing success so far, according to a blog post by the company.
Google reports that it was able to successfully auto-enable 2FA for over 150 million accounts, as well implement a 2FA requirement for over 2 million YouTube creators. Google claims that these efforts have resulted in a 50% decrease in accounts being compromised among users with 2FA enabled.
Google lauds these results as a demonstration of the effectiveness of 2FA for securing people’s data and personal information. That said, the company states that it is working on further efforts to increase account security. One of these efforts has been building security key support directly into Android phones, and extending this support to Apple devices by way of the Google Smart Lock app.
Google says that it will continue to automatically enroll users in 2FA in 2022, but the company encourages users not to wait and enable 2FA themselves. If you’re unfamiliar with 2FA, we recently highlighted Google Authenticator, which is a popular 2FA option that uses time-based one-time passwords (TOTP). There are other third party apps for TOTP, but make sure you exercise scrutiny in your choice of authenticator app so you don’t end up unwittingly installing malware on your device.
Google actually uses the term two-step verification (2SV), which is a more broad ranging term, but all of Google’s available 2SV methods qualify as 2FA. 2FA requires not only a second step in the login process, but also the possession of a specific device, key, or code. If Google simply sent users a login verification link through email, that email could be accessed on any device, so it would act as a form of 2SV, but not 2FA.
However, Google instead offers a number of methods for receiving prompts or codes on particular devices that users have per-verified or set up for that purpose. As mentioned above, Google also supports hardware security keys, in addition to backup codes that you can store somewhere safe. All of these methods require that users have a specific form of secondary authentication in their possession, so they qualify as not just 2SV, but also 2FA.
As an expert in cybersecurity and user account security, I've closely followed the developments in Google's campaign to enhance user account security through two-factor authentication (2FA). My expertise is grounded in extensive research and practical experience in the field of online security.
The evidence supporting Google's success in implementing 2FA is compelling. In May of the previous year, Google initiated a comprehensive campaign to bolster user account security, emphasizing the importance of 2FA. The company announced plans to automatically enroll users in 2FA and set a target of enabling 2FA for 150 million Google accounts and 2 million YouTube creators by the end of 2021.
Fast forward to 2022, and Google has reported remarkable success in achieving its goals. The company was not only able to auto-enable 2FA for over 150 million accounts but also implemented a 2FA requirement for 2 million YouTube creators. The impact has been substantial, with Google claiming a 50% decrease in compromised accounts among users with 2FA enabled.
To further fortify account security, Google has undertaken additional initiatives. Notably, the integration of security key support directly into Android phones and extending this support to Apple devices through the Google Smart Lock app demonstrates Google's commitment to providing a secure environment for users across different platforms.
Google's ongoing efforts to automatically enroll users in 2FA throughout 2022 underscore the company's dedication to enhancing security. However, Google encourages users not to wait and actively enable 2FA themselves. For those unfamiliar with 2FA, Google Authenticator is highlighted as a popular option utilizing time-based one-time passwords (TOTP). It's crucial to exercise caution when selecting an authenticator app to avoid inadvertently installing malware on devices.
It's important to note that Google uses the term two-step verification (2SV) interchangeably with 2FA, acknowledging that 2SV is a broader term. All of Google's 2SV methods qualify as 2FA, as they require not only a second step in the login process but also the possession of a specific device, key, or code.
Google's commitment to security is evident in the variety of 2FA methods it offers. These include prompts or codes on pre-verified devices, support for hardware security keys, and the provision of backup codes for added flexibility. Each of these methods ensures that users possess a specific form of secondary authentication, making them not just 2SV but true 2FA, enhancing the overall security of users' data and personal information.
How 2-Step Verification helps protect your personal info. The personal information in online accounts is valuable to hackers. Password theft is the most common way accounts are compromised. For example, deceptive messages or lookalike sites often trick people into sharing their passwords.
See, one of the biggest issues I and many others had with Google's 2FA app was that all the accounts associated with the app were stored locally on the device. That's good. Unfortunately, if you were to lose your phone or it was damaged, you don't have access to your codes, anywhere.
Most 2FA methods involve sending temporary codes via SMS or emails, but these can be easily intercepted by hackers through account takeover, SIM swapping, and/or MitM attacks. To avoid these vulnerabilities, businesses should use authenticator apps like Google Authenticator or Microsoft Authenticator.
Your account is more secure when you need a password and a verification code to sign in. If you remove this extra layer of security, you will only be asked for a password when you sign in. It might be easier for someone to break into your account.
Also, the services often offer reserve codes instead of explicitly suggesting to save the secret. If you lose your secret and log in with a reserve code, you will have to redo the entire TOTP registration process again. Backup codes are sent online, which is often insecure.
Even if the user doesn't respond to a push login request or doesn't enter a One-Time Password (OTP) when prompted, a hacker still knows they have a working password now; how, because the delay for the denied message takes longer... Most of us know where this is going; the hacker is persistent in their login attempts.
In 2020, an Android malware strain was reported as extracting and stealing one-time passcodes generated through Google Authenticator. The app has also been previously flagged for lacking a passcode or biometric lock on the app itself, increasing the danger a lost device poses to an organization.
Since the cookies contain the user's data and track their activity, hijacking them allows the attacker to bypass 2FA easily. A phishing website is one of the most popular tools to conduct MiTM attacks. By posing as a trusted entity, the criminal prompts the victim to authenticate themselves via an attached link.
Multi-factor authentication (MFA) is more secure than two-factor authentication (2FA) These two terms are often used interchangeably, but they're not quite the same thing. 2FA requires exactly two authentication types to unlock something. MFA requires a minimum of three forms of authentication.
While using two-factor authentication makes things more secure, it's not a 100% guarantee of security. So it's important to adopt and maintain good online security habits. These include, setting strong passwords, not sharing your passwords with others, and not leaving your phone unattended.
An attacker who got your username and password from a data breach or a phishing attack won't be able to get into your account without the second factor. This forced use of 2FA applies only to personal Google accounts. Google Workspace accounts will continue to use 2FA at the discretion of company IT departments.
To help protect you from abuse, we sometimes ask you to prove you're not a robot before you can create or sign in to your account. This extra confirmation by phone helps keep spammers from abusing our systems. Tip: To verify your account, you need a mobile device.
2FA can be vulnerable to several attacks from hackers because a user can accidentally approve access to a request issued by a hacker without acknowledging it. This is because the user may not receive push notifications by the app notifying them of what is being approved.
The error may simply be a sign-in issue, which sometimes occurs when the Play Store is updated. The first trick is to go into your phone's main Settings menu and then Accounts & sync and simply remove the Google account that is getting the "authentication is required" error.
2-Step Verification (also known as two-factor authentication) is an extra layer of security for your account. 2-Step Verification helps keep out anyone who shouldn't have access to your account by requiring you to verify access to a trusted device or token after you enter your password.
Introduction: My name is Patricia Veum II, I am a vast, combative, smiling, famous, inexpensive, zealous, sparkling person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.