Here's the Best Way to Protect Your Accounts From Hacker Takeovers

Illustration for article titled Here's the Best Way to Protect Your Accounts From Hacker Takeovers
Photo: Patrick Howell O’Neill

It’s easy to be a security pessimist.

Hackers and data breaches make headlines on this website and all over the internet every single day. Is there anything a normal person can really do to protect themselves?


Actually, yes. Taking a simple and easy step like turning on strong multifactor authentication turns out to be an incredibly effective way of protecting your online accounts. New research from Google, New York University, and the University of California, San Diego shed new light this week on exactly how powerful a small handful of protections can be.

Researchers looked at multifactor authentication tools like physical security keys, on-device prompts, and text messages to figure out how well these techniques really protect you. It turns out: really well.

The most effective tool you can have to prevent someone from hijacking your account is a security key. The way it works is that a website like Google can ask for additional proof of who you are beyond just your password. Companies like Yubico, Feitian, and, yes, Google make these security keys.

The security key prevented 100 percent of attempted account takeovers of all types in the year-long study. Last year, Google said there hasn’t been a single account takeover of a Google employee since they started using security keys.

This is the tool used by journalists, politicians, human rights defenders and people for whom cybersecurity can be a matter of life and death. Don’t let that 100 percent mark fool youit’s not perfect, as Google’s recent recall of its Titan keys over a Bluetooth vulnerability provesbut it’s singularly powerful. And, crucially, the keys are affordable, too.

Illustration for article titled Here's the Best Way to Protect Your Accounts From Hacker Takeovers
Graphic: Google

Another strong option is the on-device prompt. Many important online accounts allow you to use authenticator apps like Google Authenticator or, like Gmail, in-app prompts that help prove your identity to the platform. These prompts beat 100 percent of automated attacks, 99 percent of bulk phishing attacks, and 90 percent of specifically targeted attacks, according to the group’s findings.

Last week, we talked about how text message two-factor authentication is relatively weak compared to easy alternatives. Google’s study confirmed that idea: SMS codes are less effective protection than on-device prompts or security keys. But they’re still far, far more effective than having no multifactor authentication at all. The researchers found that SMS codes beat 100 percent of automated account takeover attempts, 96 percent of bulk phishing attacks and 76 percent of targeted attacks.


The study looked at other account takeover prevention tools as well.

“Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation,” researchers Kurt Thomas and Angelika Moscicki wrote about the year-long study on wide-scale attacks against Google accounts.


Adding a secondary email address is another positive step that makes account takeovers far less likely, the research shows.

Being a security pessimist is understandable, but being a security realist might be better for your digital health. Stay educated, take a couple of simple and effective steps, and find yourself as well protected as you can be.


Reporter in Silicon Valley. Contact me: Email, Signal +1-650-488-7247


Best I can tell, Google’s security keys are rebrands of Feitian’s keys. (Doesn’t mean they aren’t good, though.)

I personally bought two Feitian USB-A+NFC keys. My only regret is that they don’t have FIDO2 support and therefore I can’t use them with my Microsoft Account. (I’m hoping to upgrade to a pair of Yubikey 5 NFCs in the next year and rid my MS accounts of passwords entirely.) Always have two or three keys. (No more: that’s just a weak point waiting to happen.)
Hell, in the future, if/when I make enough money to do so, I’m gonna look into WebAuthn custom setups for my home and car.

Everyone should get a set of FIDO2-compatible security keys. If your phone and your computer both have USB-C ports, get a key that uses that. Use them with EVERY service you use that supports them. Microsoft, Google, GitHub, LastPass/Dashlane/Bitwarden/some other password manager, your local Linux install (via pam.d)...