Google has successfully defended its over 85,000 employees against phishing attacks like the kind that hacked Democrats during the 2016 US presidential race since requiring that staffers use physical, USB-based security keys to access their work accounts, the company said Monday.
While one time codes are popular - for example, many banks use them to authenticate online transactions - they can be intercepted by determined thieves by using techniques such as SIM spoofing.
The basic idea behind two-factor authentication is that even if thieves manage to phish or steal your password, they still can not log in to your account unless they also hack or possess that second factor. Accounts protected using physical security keys can typically only be accessed by inserting a recognized USB-based device into the computer being used during the log-in process and pressing a button, meaning a hacker would need both a user's password and the physical key to gain entry. The key works without the need for any special software drivers.
Security Keys are affordable USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device).More news: Toronto shooting: 2 victims and gunman dead, 12 wounded
No Google employee has fallen prey to phishing attacks since early 2017, which is when the company started requiring all its workers to use physical security keys.
A Google spokesperson said Security Keys now form the basis of all account access at Google. Plenty of vendors make consumer-level security keys you can use if you want to add an extra layer of protection to your laptop or the sites you log in to. U2F is now supported by Google Chrome, Mozilla Firefox, and Opera. However, Firefox and Quantum don't enable U2F by default. Trying to hack someone with this security setup isn't easy, but it can still be done.
Not every site supports USB security keys, but the biggest services including Google, Facebook, Dropbox and most recently Twitter do. Support is also coming to Microsoft Edge but Krebs reports that Apple has not said when they'll be supporting it in Safari.
This appears to be a reference to the fact that Google's systems can ask employees to present their keys in a number of contexts and not only when logging on to email when they start work. According to reporting from KrebsOnSecurity, physical security keys are to thank for that.