"How effective are login challenges at preventing Google account takeovers?"
Despite the increased use of implementation of bugs that might affect the security of physical security keys, Google argues that physical security keys are still the strongest protection against phishing currently available. On-device prompts and SMS codes are also extremely successful at blocking account hijacking attacks that are caused by automated bots and bulk phishing attacks. On-device prompts and SMS codes still can be bypassed by attackers with some level of skill that focus on targeting specific users. Knowledge-based challenges (recovery phone number, last sign-in location, etc.) are fantastic at stopping bots, but are not very good at preventing bulk phishing and targeted attacks. In the event of a suspicious sign-in attempt, Google’s risk analysis engine selects the strongest challenge that an account’s legitimate owner should ideally be able to solve. Google's research has shown that simply adding a recovery phone number to one’s Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks. Google is urging medium to low risk users to choose strong and unique passwords, set up a recovery phone number or email address and to set up two-factor authentication to decrease likelihood of successful attacks. Google has also urged high-risk users to start using Advanced Protection Program, which requires the use of a physical keys, and limits full access to users’ Gmail and Drive to specific apps, and also adds extra steps to the account recovery process. If these procedures are followed, then attacks will be much less likely to be successful.