Google: 2-step verification led to 50% fewer account hacks

Google's move to auto-enroll users into two-step verification has resulted in 50% fewer account compromises among those enrolled, the tech giant said in a Tuesday blog post.

The post comes four months after Google began to turn on multifactor authentication by default in October, while also making the move to auto-enroll more than 150 million Google users into Google's two-step verification (2SV) process. The company also added mandatory two-step verification to more than 2 million YouTube accounts.

Accounts have several options for multifactor authentication (MFA), including prompts displayed in Google apps on the user's phone, voice or text message verification, backup codes, an authentication app and physical security keys.

Google director of account security and safety Guemmy Kim discussed early findings from the move in a blog post titled "Making you safer with 2SV." In the post, Kim wrote that among the group of over 150 million users auto-enrolled in two-step verification, "we have seen a 50% decrease in accounts being compromised among those users."

"This decrease speaks volumes to how effective having a second form of verification can be in protecting your data and personal information," she wrote. "And while we're proud of these initial results, and happy with the response we have received from our users and the community, we're excited about other ongoing work we're doing behind the scenes to make our users even safer."

The blog post added that Google was "actively working on technologies that provide a secure, seamless sign-in experience and eliminate reliance on passwords," and that they will continue 2SV auto-enrollments this year.

Google did not respond to SearchSecurity's request for additional information regarding the "50% decrease" cited in the blog post.

UPDATE (2/10): A Google spokesperson provided additional clarification in an email to SearchSecurity Wednesday evening.

"Every day, Google automatically blocks 99% of the attacks that are attempted -- so this refers to that 1% and to further clarify the 50% decrease doesn't reflect 'success rates.' Rather, we found that among those we auto enrolled, a 50% decrease in account hijackings occurred among that user set, so the data point isn't a 1:1 comparison," they wrote. "However, we expect to see later cohorts of users be even better protected than they were before, as we continue to auto enroll users in 2SV."

As for why the 50% decrease wasn't even greater, one reason could involve the slightly increased inconvenience associated with MFA methods. Users can, at least for the most part, disable two-step verification, and Google's Account Help Community shows numerous users criticizing the auto-enrollment and asking how to disable it. In addition, a well-executed social engineering attack, for example, can still bypass MFA.

The Google spokesperson also said, "credential theft remains one of the greatest vectors for account hijackings."

Google declined to provide a specific number of account compromises post-automatic enrollment. However, the spokesperson said Google is working to enroll is many users into 2SV as possible.

"We are actively working to continue to auto enroll as many users as possible and we are committed to doing that as quickly as we can," they said. "There is a lot of educating that needs to happen with 2SV and we want users to understand what it is and why it’s beneficial. We also need to make sure that users’ accounts are set up correctly with a recovery email and phone number so they can avoid account lockouts once 2SV is enforced. We’ve already enrolled users that we deem to be early adopters and whose accounts were 2SV ready."

Still, MFA is widely considered to be an effective first line of defense against threat actors, as methods like mobile phone prompts and authentication apps can add significant protection against account compromise.

Alexander Culafi is a writer, journalist and podcaster based in Boston.