Google’s move to auto-enroll users into two-step verification has resulted in 50% fewer account compromises among those enrolled, the tech giant said in a Tuesday blog post.
The post comes four months after Google began to turn on multifactor authentication by default in October, while also making the move to auto-enroll more than 150 million Google users into Google’s two-step verification (2SV) process. The company also added mandatory two-step verification to more than 2 million YouTube accounts.
Accounts have several options for multifactor authentication (MFA), including prompts displayed in Google apps on the user’s phone, voice or text message verification, backup codes, an authentication app and physical security keys.
Google director of account security and safety Guemmy Kim discussed early findings from the move in a blog post titled “Making you safer with 2SV.” In the post, Kim wrote that among the group of over 150 million users auto-enrolled in two-step verification, “we have seen a 50% decrease in accounts being compromised among those users.”
“This decrease speaks volumes to how effective having a second form of verification can be in protecting your data and personal information,” she wrote. “And while we’re proud of these initial results, and happy with the response we have received from our users and the community, we’re excited about other ongoing work we’re doing behind the scenes to make our users even safer.”
The blog post added that Google was “actively working on technologies that provide a secure, seamless sign-in experience and eliminate reliance on passwords,” and that they will continue 2SV auto-enrollments this year.
Google did not respond to SearchSecurity’s request for additional information regarding the “50% decrease” cited in the blog post.
As for why the 50% decrease wasn’t even greater, one reason could involve the slightly increased inconvenience associated with MFA methods. Users can, at least for the most part, disable two-step verification, and Google’s Account Help Community shows numerous users criticizing the auto-enrollment and asking how to disable it. In addition, a well-executed social engineering attack, for example, can still bypass MFA.
Still, MFA is widely considered to be an effective first line of defense against threat actors, as methods like mobile phone prompts and authentication apps can add significant protection against account compromise.
Alexander Culafi is a writer, journalist and podcaster based in Boston.