While SMS verification can be defeated by a targeted attack, Google’s ability to do things like send a prompt to a connected phone or have users verify where they last log in also help block sign-ins it thinks are suspicious. If you’re logging in on a brand new device or from a new location, then you should expect a little more scrutiny, however because 38 percent of users didn’t have access to their phone, and 34 percent couldn’t get to a secondary email address, the worry is that requiring challenges all the time will increase account lockouts.

According to the Google data, “hack for hire” attacks that impersonate familiar people or Google itself are incredibly rare, but can include multiple attempts even after an initial message is rebuffed. That’s where steps like its Advanced Protection Program — that requires a user to setup two hardware keys and use one of them to login all the time — come in handy.

Mirroring the results Google has seen since requiring employees to use hardware keys, researchers said zero users who exclusively use security keys — despite the presence of a flaw that’s caused a recall of Google’s Bluetooth Titan Key — had fallen victim to targeted phishing. Limiting the attack surface based on physical proximity, and because a site has to verify itself to the security key, keeps phishing attacks at bay, even for people who are being targeted specifically.