Google data shows 2-factor authentication blocks 100% of automated bot hacks

Google data shows 2-factor authentication blocks 100% of automated bot hacks

Two-factor authentication is annoying. Getting flustered because you have to find your phone and tap on a prompt every time you log into your accounts from a new device is peak first-world problems. But if you ever had any doubt whether it really made you that much safer, Google has the data to dispel that uncertainty.

If you’re not familiar with two-factor authentication (2FA) or two-step verification, it’s all about using an extra layer of security to prove the person logging into an account or device is really you. Even if someone steals or guesses your password, they won’t be able to access your information without another authenticator. Sometimes that means typing in a code you received on your smartphone or tapping on a prompt on a separate device. If you need more security, you could even get a physical device that connects to your computer to verify your identity.

Google supports these forms of 2FA and others;  if you have it enabled on your Android device, you’ve probably come across the “Trying to sign in?” prompt. The company teamed up with researchers from New York University and the University of California, San Diego in a year-long study to research how effective 2FA really is. Just check out this graphic:

Receiving a secondary SMS code blocked 100 percent of automated attacks, 96 percent of bulk phishing attacks, and 76 percent of direct, targeted attacks – like those made by hired hackers. Using on-device prompts brings those numbers up to 100, 99, and 90 percent, respectively. The improvement is likely due to the fact that it’s harder to get someone to tap an on-device prompt than it is to try to dupe them into giving away an access code. Of course, using a physical security key is safest, blocking 100 percent of each kind of attack during Google‘s investigation.

Other forms of 2FA such as providing a secondary email address, phone number, or your last sign-in location were much less secure; able to generally fend off bots but not phishing or targeted attacks. For most people, simply adding a recovery phone number to your Google account can make it much easier to keep your account safe when Google detects suspicious activity.

New research: How effective is basic account hygiene at preventing hijacking on Google

Read next: China could hurt Apple profits by 29% if it avenged the Huawei ban, says analyst