Why Does Google Need Your Personal Phone Number?
In a recent blog post, Kurt Thomas and Angelika Moscicki from Google's security team spoke about, among other things, account hijacking and how much it costs. It turns out that a hacking group can charge as much as $750 for the compromise of a single account. In light of this, people's woeful security habits seem even more baffling. Cybercriminals stand to pocket significant sums of money for the breaking into accounts, and yet, users continue to protect the said accounts with weak and reused passwords.
Security experts have put a lot of effort into trying to raise awareness around the importance of passwords. They've been trying to present the problem in simple terms, they've given real-world examples, and they've shown how a solid password management solution can easily solve the issue. The list of arguments for a strong password is practically endless, but people just won't listen.
The problem of friction and Google's solution
There is a solution of sorts – two-factor authentication (2FA). All popular online services offer forms of two-factor authentication, and people have been told time and again that using it can dramatically improve their chances of keeping their accounts safe. Unfortunately, adoption rates remain pretty poor, and experts reckon that this is because 2FA introduces too much of what is known in the industry as "friction".
Users don't like the idea of having to enter a secondary code every time they try to log in to their accounts. They don't see the added security as enough of an incentive and instead think that the extra steps as an unnecessary complication. It is indeed hard to argue with the fact that 2FA makes signing in more difficult, and try as they might, the specialists can't convince the Joe and Joanne Average that the extra effort is worth it. Google's security people reckon that they've cracked the riddle.
Basically, they are talking about a 2FA system that is triggered only upon suspicious login attempts. The idea is that when you're in your home town, signing into your Google account on your own devices, you'll just need to enter your email address and your password. If, on the other hand, Google notices a login attempt from an unrecognized device located in another country, it will also require you to either enter a temporary code sent to you via SMS or tapping a prompt on your smartphone. For the most part, your experience won't be changed in any way. At the same time, if a hacker on the other side of the world guesses your password, they won't be able to take over your account because they don't have access to your phone. In theory, it's a good compromise, and Google's security specialists have gone to great lengths to convince people that it will also work in practice.
Google tries to get people on board
Members of Google's security team teamed up with experts from New York University and conducted a study to see how well this so-called risk-aware authentication system works. The results certainly look promising.
According to the report, if you opt to use temporary codes delivered via SMS, your account will withstand virtually all takeover attacks launched by automated bots. The feature will also increase your chances of staying safe during bulk or targeted phishing attacks. If you opt to have an on-device prompt as an authentication factor, the figures look even better, and Google's experts are hoping that because people won't have to go through the process every time they try to log in, they will be more inclined to adopt the system. But will they actually do it?
The privacy concerns
As things stand, big Silicon Valley companies, including Google, have quite a lot of information about us already. Recent scandals have shown us that sometimes, as big and powerful as they are, tech giants just don't do enough to protect our personal details, and privacy advocates advise us to give them as little personal data as possible.
Activating the system described above means giving Google your personal phone number, and letting the search engine giant use it as an account recovery mechanism. Plenty of you will probably have a problem with this, and we're sure that you have your strong arguments. In this case, however, you shouldn't forget that the security of your account and the data in it is concerned. Ultimately, you will be making your own choice, but before you do, think carefully whether your doubts about the way Google handles your data are enough to offset the added protection that the risk-aware and two-factor authentication systems deliver.