Add a recovery phone number to block automated hijack attempts: Google

Study finds adding a phone number to a Google account blocks all automated attempts, 99% of bulk attacks, and 66% of targeted attacks.
Written by Chris Duckett, Contributor
(Image: Google)

Google has said the addition of a recovery phone number is able to block all automated bot attempts to access accounts via credential stuffing.

The search giant conducted a year-long study with New York University and the University of California, San Diego that resulted in a pair of papers.

"Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation," researchers from Google AI said in a blog post.

See: Google wants you to stop using its SMS two-factor sign-in

The researchers found using an SMS code as an extra factor of authentication stopped 76% of targeted attacks, 96% of bulk phishing, and 100% of automated bots. While using prompts improves the numbers to 90% of targeted, 99% of bulk, and 100% of automated attacks.

For perfect scores across the board, users should use a physical key.

Also: Google to replace faulty Titan security keys

The researchers looked into 350,000 hijacking attempts on 1.2 million users across Google's 14 different login challenges.

The team said 38% of users were not able to access their phone when needing the extra authentication factor, while in a scenario asking for secondary email address, 34% of users could not name it. Regardless of challenge method, over 94% of people in all instances were able to regain access to their account in a week.

At last month's Google Cloud Next conference, the search giant said it wanted to use Android phones as security keys in the future.

"Think of it like a security key in almost every modern Android phone ... a very easy-to-use form factor for over a billion users," Google Trust and Security marketing lead Rob Sadowski said at the time.

"Having that as your authenticator really makes it easy to use and always available."

However, Google recommends at least two security keys be registered, in case one is lost.

More from Google

Editorial standards