Republished on June 6 with a new warning into surging password attacks.
Your email is under attack. You know this, of course, but Google just confirmed that 61% of email users have been targeted by attacks. If that sounds alarming, the situation with text messaging is even worse, hitting almost all American phone users.
Google also warns that more than 60% of U.S. users saw “an increase in scams over the past year,” with more than half “personally experiencing a data breach.” While these numbers are “far from surprising,” Google says, what is surprising is that almost all users are yet to upgrade their accounts to make them safer and more secure.
Most users, Google says, “still rely on older sign-in methods like passwords and two-factor authentication (2FA),” despite the push to upgrade accounts to passkeys as well as social sign-ins, which use authenticated platforms like “Sign in with Google.”
The situation is slightly more promising with younger users. “Digitally-native Gen Z users are bypassing outdated security norms like passwords, opting for more advanced authentication tools.” Google says this generation is “more reliant on passkeys or social sign-ins,” albeit they’re also more likely to reuse and less likely to change passwords.
Google warns “passwords are not only painful to maintain, but are also more prone to phishing and often leaked through data breaches.” And that’s the real issue. “It’s important to use tools that automatically secure your account and protect you from scams,” Google tells users, and that means upgrading account security now.
Google says “we want to move beyond passwords altogether, while keeping sign-ins as easy as possible.” That includes social sign ins, but mainly it means passkeys. “Passkeys are phishing-resistant and can log you in simply with the method you use to unlock your device (like your fingerprint or face ID) — no password required.”
Adding a passkey to your Google account also means “you can rely on just your Google Account to log in to your favorite websites and apps — limiting the number of accounts you have to maintain.” Put more simply, because passkeys link to your hardware — primarily your phone, this secure device becomes a digital key for all critical accounts.
The importance of acting quickly has been reinforced in the latest report from the team at Check Point. “Breaches are not a matter of if but when, which is why relying solely on passwords is a dangerous oversight… If you think your users’ passwords are secret, think again. Credential dumps from breached companies are traded daily on the dark web. Password reuse is rampant. Phishing attacks are more sophisticated than ever, and employees are fallible — always have been, always will be.”
As Check Point says, “attackers don’t ‘hack’ most systems today. They log in using stolen credentials obtained through phishing, social engineering, credential stuffing, or simple brute force attacks. Once inside, they move laterally, escalate privileges, and exfiltrate data, often going unnoticed for months.”
Per the FIDO Alliance, the answer is passkeys. “Passkeys are phishing resistant and secure by design. They inherently help reduce attacks from cybercriminals such as phishing, credential stuffing, and other remote attacks. With passkeys there are no passwords to steal and there is no sign-in data that can be used to perpetuate attacks.”
Microsoft has gone further than Google and is pushing for users to delete passwords altogether, given they present an account vulnerability if still in place. While you can’t do that with your Google account today, you can avoid using your password and you can change 2FA to remove SMS and only use options linked to your devices — authenticator apps or Google prompts. As Google suggests, make those account changes today.
