Love it or leave it, two-factor authentication works. It is cumbersome, requires extra steps, but cuts down on hacking and fishing significantly. Google's approach with a recovery phone number for your account works wonders, too, and the company collaborated with New York University and the University of California, San Diego to prove it
What the researchers found in one of the largest studies of this kind, is that "simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation
Why the lower number for targeted attacks? While the bots and phishing automatons are the most annoying type of hacking efforts, targeted attacks are something else entirely. The "hacks for hire" in the dark Internets offer access to your account for as low as $750, explains Google. What makes them the most dangerous is that they are specifically targeting your account masking as friends, relatives, the government or even as Google itself. This, the company claims is part of one such spear phishing attempt to get the code sent to your recovery phone:
Such sophisticated targeted attacks affect a very small percentage of account users, yet Google warns that only enrolling in its Advanced Protection Program
that requires security keys, is a bulletproof defense against them.
Why is supplying Google with a recovery phone number so important for preventing bots and bulk phishing? Well, the other alternative is what Google calls "knowledge-based challenges" that ask you for, say, the last location where you signed in.
Unfortunately, such questions proved too complicated for many users who were left locked out of their accounts as a result, so Google is adamant that providing it with a recovery phone has proven to be the best thing you can do to secure your account without going to extremes.