Google Says Default 2FA Cut Account Breaches In Half (engadget.com) 31
Google's decision to enable two-factor authentication by default has resulted in a 50 percent decrease in account breaches among those users where the feature was auto-enabled. Engadget reports: The company didn't say how rapidly it expected 2FA to spread, but promised to continue the rollout through 2022. More than 150 million people have been auto-enrolled so far, including more than 2 million YouTube creators. The company also promised more security upgrades to help mark Safer Internet Day. As of March, Google will let you opt-in to an account-level safe browsing option that keeps you from visiting known harmful sites. Google is also expanding Assistant's privacy-minded Guest Mode to nine new languages in the months ahead, and has promised to ramp up safeguards for politicians ahead of the US midterm elections.
Wow (Score:5, Insightful)
That is remarkably bad. Either they have a lousy 2FA system, or people are giving out their second factor as easily as they give out their password.
Re:Wow (Score:4, Insightful)
Re:Wow (Score:5, Interesting)
The problem is fundamentally that for most folks, "2-factor" authentication almost never actually involves a truly independent second factor. You have things like:
Unfortunately, all of those can be compromised by stealing your phone or compromising the security of your phone. And they can also usually be compromised by some combination of compromising your recovery email address, tricking the phone company into transferring service to a new device, cloning your SIM card, etc. In other words, these are all very weak second factors that are effective only if you aren't being specifically targeted for compromise.
So what this suggests to me is that about half of all account compromises are random attacks on random accounts that are being done in bulk, without actually caring enough about compromising a specific target to use those other means. The other half (the ones that are successful) likely involve a particular person being attacked by someone who knows enough about that person to get past weaker two-factor authentication schemes.
If hardware two-factor were more ubiquitous, and websites were less averse to letting people stay signed in, these problems wouldn't exist. Requiring significant extra verification with a hardware second factor is fine as long as you only do it when you add a new device. And locking down a device is a lot easier than locking down an account, because physical theft is typically needed to compromise a device.
But instead, we have all these websites that kick you out after an hour, thinking that they're somehow making things "more secure", all the while causing people to send their passwords over and over again, making any sort of real security (like hardware two-factor) a pain in the backside. Add to that the lack of broad availability of NFC readers in computers for connecting hardware tokens, and you have a perfect storm of pain when you try to do true (hardware-based) two-factor authentication.
Security on the Internet is a mess, and I think the only way it will ever get meaningfully better is if Apple, Google, Microsoft, Firefox/Mozilla, and other browser vendors work together to create a unified single-sign-in standard, and pressure companies to support it broadly. It should incorporate hardware two-factor authentication by default, it should permanently persist authentication to each website on a per-device basis, it should provide a way to deauthorize a specific device, and it should be done entirely outside of the browser window so that it cannot be visually spoofed by phishing sites. Most importantly, each identity should be cross-platform and cross-browser, so that websites don't have to store associations between multiple browser-provided identities and a single website account.
Hey, a guy can dream, right?
Re: (Score:2)
Unfortunately, all of those can be compromised by stealing your phone or compromising the security of your phone.
That's the point. Some rando on the internet who grabs your password from a data breach at some other website probably lives on the wrong continent to steal your phone. The most common way that accounts are compromised is remotely. It's very low risk for the attacker, compared to physically stealing something you own.
Phone security is pretty good too, phone malware is expensive because the exploits are few and Google is quite good at detecting and removing it. Android is heavily sandboxed and makes it very
Re: (Score:2)
Unfortunately, all of those can be compromised by stealing your phone or compromising the security of your phone.
That's the point. Some rando on the internet who grabs your password from a data breach at some other website probably lives on the wrong continent to steal your phone. The most common way that accounts are compromised is remotely. It's very low risk for the attacker, compared to physically stealing something you own.
It's also worth pointing out the obvious, which is that probably a lot of the remaining half are from people whose recovery email password is the same as their Gmail password. This is where a browser-integrated security system like I suggested would be a huge win, because as long as it provides a boolean flag that website developers can check to see if an integrated account exists, the website integration code could provide (by default) a trivial way to migrate from an individual, password-based account to
Re: (Score:3)
That is remarkably bad. Either they have a lousy 2FA system, or people are giving out their second factor as easily as they give out their password.
Gmail has 1.8 billion users. Only 150 million users were auto-enrolled in 2SV. Anyway, users can turn it off and I'm sure many did.
I read some google blogs on this, and I can't find a clear statement of whether the reduction was 50% reduction in the compromised rate of all users, or 50% less than expected in the 150 million auto-enrolled users I'm guess the latter due to 150 million is much less than the 1.8 billion.
Re: (Score:3)
I read some google blogs on this, and I can't find a clear statement of whether the reduction was 50% reduction in the compromised rate of all users,
It says pretty clearly in the summary "among those users where the feature was auto-enabled."
Re: (Score:2)
Yes, but it doesn't say how many (if any) of the compromised accounts had turned if off again.
Re: (Score:3)
I read some google blogs on this, and I can't find a clear statement of whether the reduction was 50% reduction in the compromised rate of all users,
It says pretty clearly in the summary "among those users where the feature was auto-enabled."
Slashdot summaries are not always accurate. That's why I was questioning it.
Anyway, I did find that quote in a google blog, so it's good.
Re: (Score:2)
Slashdot summaries are not always accurate.
True point.
Re: (Score:2)
It doesn't say clearly what the criteria were for selecting those users. If they were the most at risk ones then they might be subject to some fairly advanced attacks, like malware stealing browser credentials.
Re: (Score:2)
Re: (Score:2)
To be quite honest, I don't remember the last time I heard about someone's account being compromised that way. Usually it involves access to the victim's email or SMSes
We're talking about email accounts being compromised, though.
Re: (Score:2)
Password theft/guessing is one of the most common ways that accounts are compromised. People re-use passwords a lot, and they get stolen a lot, and most are weak to begin with.
Remember all the celebrity iCloud hacks that stole their private photos? That was guessed passwords. It created a snowball effect, once one account was compromised the attacker got their contact list and from there could find passwords in leaked collections or just guess them. At the time Apple didn't have a limit on the number of gue
Re: (Score:2)
Re: (Score:2)
It doesn't say how they were compromised. Could be that they were mostly due to people accessing their already logged in computers/phones. Windows malware that steals cookies is another common one. That's why you sometimes get emails from Google saying "we noticed this device connected from Russia, click here to log it out".
2FA is highly effective against stolen passwords, but it's not magic.
Re: (Score:1)
How do you figure? It's not a complete roll-out yet. And if only half the users have enabled 2FA then a 50% reduction in compromised accounts is consistent with 100% effectiveness of their MFA.
They allow you to use open-system challenge-response devices like Yubikeys, and TOTP software like the one built into 1Password.
Re: (Score:2)
No, it says among users with it enabled, not among all users.
This Is Actually Terrible News (Score:4, Interesting)
It's terrible news because it means that Google still sees a massive number of account breaches.
2FA should have reduced it to zero, for accounts with 2FA enabled.
This is terrible news.
Re: (Score:2)
Well, they obviously aren't all using U2F keys.
https://krebsonsecurity.com/20... [krebsonsecurity.com]
“We have had no reported or confirmed account takeovers since implementing security keys at Google,” the spokesperson said. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”
-=-=-=
I use a U2F key with google. Not seeing much of a way around it. However, with Facebook,
Re: (Score:3)
It's terrible news because it means that Google still sees a massive number of account breaches.
2FA should have reduced it to zero, for accounts with 2FA enabled.
This is terrible news.
After being auto-enrolled, many people turned that feature off.
I'd guess most of the auto-enrolled people did that. I also guess that group of "people who turned off the 2SV" also contains a sub-group "the ones who are too lazy to generate a unique password".
Re: (Score:3)
Re: (Score:1)
2FA should be through something like a hardware key or the authenticator app. I won't say that 2FA through text message is a complete joke, but there are enough security problems with SMS that it can't be considered as good as a hardware solution.
Re: (Score:2)
You can happily say that and not be wrong at all. 2FA through a text message is an absolute joke. The text message should be used as "Someone did something", and that's all. It shouldn't be the 2 in 2FA. It should be the notification.
Re: (Score:2)
This is just another way for them to get my cell number, and increase the spam calls/texts I get.
You may be right, it also might be about linking your account to a very not private unique number that they probably already have loads of personal information on.
I recently tried to create a discord account for the first time only to be flagged as suspicious before even finishing my email verification. When I gave my home/voip number which has great unwanted phone call mitigation, I was informed that it had to be a valid mobile number. After searching their support pages I discovered that they are quite
Re: (Score:2)
2FA also gave Google more information (Score:2)
Re: (Score:2)
2FA that is only partially effective
2FA is only as good as the user. If they are willing to hand out the 6-digit code to whomever asks, the best 2FA in the world isn't going to be effective. (Obviously requiring a hardware key to be inserted is far more idiot proof, but that's a bit more than your standard e-mail user is going to tolerate.)
Initial Setup version of Google Login (Score:3)
There was once a flaw in Android that allowed an app to display the special "Initial Setup" version of a Google login, giving permanent and persistent access to a Google account as if it was installing on a phone for the first time.
The example app displayed a "Sign in with Google" button, when you clicked that, it loaded the special "Initial Setup" version of the Google Login page, then edited the HTML to remove any sign that it was anything other than an ordinary Google login, then snatched the long-term credentials.
Re: (Score:3)
Found the article: https://ethanblake4.medium.com... [medium.com]
Does google also talk about... (Score:2)