I highly recommend enabling the two factor authentication feature. I got my account targeted by some botnet and was breached several times regardless of how ridiculous my password was. Of course, this all stopped the moment I started using two factor auth.
After being a WoW user, I think two factor auth only works if it is forced on all accounts.
Here's a scenario that plays out in WoW all the time and it happened to me. Basically, a user quits playing WoW and their account gets hacked at some point after they quit. The hacker then turns on 2 factor auth via the WoW authenticator app. It is now impossible for the original user to log in to the account or reset passwords. To fix this you must argue and explain with customer support that the account was hacked an that the 2 factor auth is preventing you from resetting passwords and such.
So, unless you turn on two factor auth up front for all users, it's going to actually make it worse for the end user if their account gets hacked. So, like captchas, it's solving one problem and creating another for the user. I'm not sure that is the best solution.
2 factor auth is not a defence against phishing. This is such a common misconception. All two-factor means is that someone with only your password cannot log in, or only your device.
What's happening here is that Google accounts without 2-factor but with a phone recovery path set up are being "account recovered" by a bad guy. It's just plain old phishing.
I use this too, but I don't think it actually prevents the attack described in the article, at least in my case. When I setup my 2-factor auth for my Google account, I also setup a series of backups in case I lost access to my phone. One of them was my phone number, and another was a phone number of a trusted friend.
reply