Here's the Best Way to Protect Your Accounts From Hacker Takeovers

Researchers looked at multifactor authentication tools like physical security keys, on-device prompts, and text messages to figure out how well these techniques really protect you. It turns out: really well.

The security key prevented 100 percent of attempted account takeovers of all types in the year-long study. Last year, Google said there hasn’t been a single account takeover of a Google employee since they started using security keys.

Account takeover prevention by type

Another strong option is the on-device prompt. Many important online accounts allow you to use authenticator apps like Google Authenticator or, like Gmail, in-app prompts that help prove your identity to the platform. These prompts beat 100 percent of automated attacks, 99 percent of bulk phishing attacks, and 90 percent of specifically targeted attacks, according to the group’s findings.

Last week, we talked about how text message two-factor authentication is relatively weak compared to easy alternatives. Google’s study confirmed that idea: SMS codes are less effective protection than on-device prompts or security keys. But they’re still far, far more effective than having no multifactor authentication at all. The researchers found that SMS codes beat 100 percent of automated account takeover attempts, 96 percent of bulk phishing attacks and 76 percent of targeted attacks.