Phishing attacks are one of the greatest threats to businesses today and they can often result in attackers obtaining sensitive company data and information.
However, none of Google's 85,000+ employees have fallen victim to such an attack since early 2017 when the company began requiring its staff to use physical Security Keys in place of passwords and one-time codes.
Two-factor authentication (2FA) has become increasingly popular as a means of securing accounts using a password and a user's mobile device. Inexpensive physical USB-based Security Keys offer an alternative approach to traditional 2FA by requiring users to insert their physical key when accessing online services.
A Google spokesperson explained to KrebsonSecurity that Security Keys are now used to access all accounts at Google, saying:
“We have had no reported or confirmed account takeovers since implementing security keys at Google. Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”
Prior to the policy change in 2017, Google employees relied on one-time codes generated by the company's mobile app, Google Authenticator to access their accounts using 2FA. Now though with Security Keys, their accounts are protected with Universal 2nd Factor (U2F) authentication which allows a user to complete the login process by inserting the USB key and pressing a button on the device.
This allows users to no longer enter their passwords at sites that support Security Keys after the initial setup.
Currently only a few high-profile sites support U2F including Dropbox, Facebook, Github and Google but support for the new authentication method is growing.
We will likely see further implementation of U2F as a result of Google's own success in using it to prevent phishing.
Image Credit: Faithie / Shutterstock