Phishing attacks are a big concern for companies nowadays, but for Google, which has about 85,000+ employees around the world, it’s no problem at all. The search giant has found a cost-effective but efficient solution against phishing – Security Keys.
No more phishing attacks
Phishing attacks are a big problem for businesses because no matter how much you spend to make sure computers are secure, one mistake by any of your employees makes your entire system vulnerable to hacking. Google surely knows this, and hence, has found an effective solution for it.
Google told KrebsOnSecurity that none of its employees have been successfully phished since early 2017, when the search giant made it compulsory for all the employees to replace passwords and one-time codes with the physical Security Keys.
In his 2021 year-end letter, Baupost's Seth Klarman looked at the year in review and how COVID-19 swept through every part of our lives. He blamed much of the ills of the pandemic on those who choose not to get vaccinated while also expressing a dislike for the social division COVID-19 has caused. Q4 2021 Read More
“We have had no reported or confirmed account takeovers since implementing security keys at Google,” the company said. According to the search giant, the Security Keys are now the basis of all account access at Google.
2FA vs. U2F
A study by Google last year found that phishing attacks are the biggest online threat for Google accounts. There are various ways to protect yourself from phishing, such as simply not responding to suspicious emails, registering for Google’s Advanced Protection program and introducing two-factor authentication to systems.
Security Keys are an alternative to the two-factor authentication (2FA). In 2FA, a user needs to log into a website using their password, and then authenticate again using their mobile device. In fact, Google employees also used something similar – one-time codes – prior to 2017. There have been instances when hackers have cracked the two-factor authentication by spying on the cellular network and intercepting the SMS messages.
On the other hand, using Security Keys is comparatively easier and quicker as they are USB-based devices that just need to be plugged in. A Security Key is based on multi-factor authentication (also called Universal 2nd Factor or U2F), where the login process is completed just by inserting the USB key and clicking the button on the device.
After the security key device is registered for a specific website, the users no longer need to enter the password for that site. Also, no special software drivers are needed for running the USB key.
Since passwords and the one-time codes are all digital, it makes them vulnerable to hacking. On the other hand, Security Keys are physical, hence, to get into your system a hacker would have to steal it from you personally. This explains why Google employees have been safe from phishing attacks.
Though two-factor authentication is cheaper, they are relatively less safe. Hence, companies should seriously consider switching to physical security keys. The initial investment might be a bit high for companies with a high number of employees, but the protection that it guarantees is priceless.
A Google study in 2016 found that text-message or the app-based two-factor authentication had an average failure rate of 3%. The security key system (also called U2F) was found to have a 0% failure rate.
Rising acceptance of Security Keys
Yubico is a popular manufacturer of Security Keys, which starts at $20. The more expensive version of the hardware comes with support for a smartphone or a USB-C port. Anyone can easily buy such keys online via Amazon and other retailers.
For now, not all sites supports USB security keys, but the bigger ones like Google, Facebook, Dropbox and Twitter do support this security feature.
Chrome, Mozilla Firefox and Opera also support such USB keys. However, in both Firefox and Quantum, the U2F is not enabled by default. Microsoft Edge browser is expected to start supporting U2F later this year, while there is no info from Apple of when its Safari browser will support the new security standard.
Further, the tech industry is working on new login standards to make such USB keys universally accepted. In fact, many developers are favoring hardware security keys to authenticate the software’s validity. Major password managers – such as Keepass, LastPass, Dashlane – also support U2F.
Google also launched its advanced-protection program in October last year. Under the program, the security keys are made available to people who are more likely to be phished, such as business leaders, activists and journalists. The search giant also collaborated with several industry groups, like the FIDO Alliance, to build security-key technology also called U2F.