Why have physical security keys slashed phishing incidents at Google?

24 Jul 2018

Security keys are making an impact on Google. Image: Image Stock Studio/Shutterstock

Google says since switching to physical security keys, it hasn’t had a single case of account takeover as a result of phishing.

Google is a gigantic entity, with more than 85,000 employees scattered around the globe working in divisions from cloud to hardware and search. A staff roster that large and a massive quantity of confidential trade information obviously makes the company a prime target for cyber-criminals.

Phishing incidents are down at Google

Phishing is a particular concern for all companies, but especially an organisation operating on such a large scale. Google recently started doing something differently in terms of security, which is paying off.

According to Brian Krebs, not a single Google employee has been a victim of phishing since early 2017, when the decision was taken requiring all staff members to use physical security keys instead of passwords and single-use codes.

A spokesperson for the company said: “We have had no reported or confirmed account takeovers since implementing security keys at Google.

“Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”

Before making the switch to physical security keys, staff at Google used one-time codes generated by Google Authenticator.

What is U2F?

Security keys are a different form of multifactor authentication known as Universal Second Factor (U2F), which lets the user finish the login process by inserting the key into a USB port and pressing a button on the little fob. Once the key is connected to a website that supports USB keys, the user doesn’t need to enter their password again unless they want to access the account on another machine.

At the moment, U2F is supported by Chrome, Firefox, Opera and platforms such as GitHub and Facebook. Microsoft expects to roll out U2F support for its Edge browser later in 2018. Apple has not announced a date for the roll-out of U2F on Safari.

While there is a risk of losing the device, it is considered safer than two-factor authentication (2FA) as hackers could intercept text messages containing one-time codes sent to your mobile phone and gain entry to your accounts.

U2F is not quite far-reaching enough as of yet, but a positive story of its implementation at one of the world’s largest tech firms could see it growing on the radar of the general public. Once more websites begin using the WebAuthn API, physical keys may become commonplace.

For those who are are in need of a security audit or just curious, Twofactorauth.org has a comprehensive list of sites that support multifactor authentication.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects