Google hasn’t experienced any successful phishing attacks since early last year, the company has revealed, thanks to the company-wide use of physical security keys. These small USB devices, which resemble a thumb drive with a button on top, are a more secure alternative to two-factor authentication, which requires the user to authenticate a login attempt using a one-time code in addition to the account password.
Google revealed the news to Krebs on Security, which reports that Google requires its more than 85,000 employees to secure their accounts with physical security keys. The keys are used instead of the Google Authenticator app, the company’s previous solution for better securing employee accounts versus only using a password.
Two-factor authentication is better than using only a password, but it has its own issues. Hackers can use SIM hijacking to acquire the one-time code sent via an SMS, for example. Authentication apps like Google Authenticator have become a more popular alternative to SMS codes because the person attempting to access the account must have the device itself.
Increasingly popular, however, are physical security keys and Universal 2nd Factor (U2F), a process that verifies a login via a USB security key inserted into the device. The security key contains a physical button the user presses to complete the authentication, granting access to the secured account. A password is no longer necessary once the security key has been setup with the account.
Security keys are not expensive, coming in at around $20 each, but they’ve been slow to catch on with consumers. A growing number of services have added support for physical security keys, including Facebook, Twitter, and Dropbox. Company Yubico offers some of the most popular options at this time, including the YubiKey, of which options for both desktop and mobile are available.
SOURCE: Krebs on Security