Adding a Recovery Phone Number Blocks 100% of Automated Bot Attacks, Finds Google

Google found that users who add a recovery phone number to their accounts effectively block 100 percent of automated bot attacks by doing so.

The tech giant arrived at this finding after teaming up with New York University and the University of California, San Diego to investigate the efficacy of basic account hygiene in preventing account hijacking. It then presented the results of this year-long study on 22 May at The Web Conference.

Google researchers Kurt Thomas and Angelika Moscicki explained that Google responds to a suspicious sign-in attempt such as from a new location or device by asking the user to provide additional proof of identity as a means of verifying themselves. They found that those who’ve signed into their phones or who use a recovery phone number in those instances can protect their accounts against all automated bot attacks. The same went for other verification measures such as last sign-in location and security keys, though a secondary email address was effective against just 73 percent of automated bots attempts.

A recovery phone number has its limits, Thomas and Moscicki uncovered. They found that it wasn’t as effective against phishing attacks or targeted campaigns in particular. However, they determined that users can compensate for these effects by activating SMS codes or on-device prompts.

As quoted in their research:

If you’ve signed into your phone or set up a recovery phone number, we can provide a similar level of protection to 2-Step Verification via device-based challenges. We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks. On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.