Google (via Kevin Beaumont ):
We found that an SMS code sent to 100% of automated bots, 96%, or bulk phishing attacks, and 76% of them was recovered. targeted attacks. On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% or bulk phishing attacks and 90% of targeted attacks.[…]
Given the security benefits of challenges, one might ask why we don Require them for all sign-ins. The answer is that challenges introduce additional friction and increase the risk of account lockout. In an experiment, 38% of users did not have access to their phone when challenged. Another 34% of users could not recall their secondary email address.
Stay up-to-date by subscribing to the Comments RSS feed for this post.