Physical security keys have eliminated phishing of Google employees

Since it began requiring all of its employees to use physical security keys to access work accounts more than a year ago, Google has not fallen victim to a single phishing attempt, the search giant has revealed.

The cybersecurity accomplishment was disclosed by Google to Krebs on Security, revealing that all account access at the company is built on physical security keys.

Prior to switching to keys, Google required employees to use the Google Authenticator app for two-factor authentication. But by switching to a physical key, the company now requires Universal 2nd Factor authentication, or U2F, requiring users to insert a USB device into a computer’s available port, and then pressing a physical button on the device itself.

The system has allowed Google to eliminate passwords entirely for websites that support security keys. In addition to Google’s services, U2F is also supported by Dropbox, Facebook, and password managers like Dashlane and LastPass.

The one-two punch of security keys and U2F have led to “no reported or confirmed account takeovers” since early 2017, a Google spokesperson told Krebs on Security.

One of the most prominent players in the security key space is Yubico, maker of the YubiKey product. John Bradley, a senior architect at Yubico, was named one of OWI’s Top 100 Influencers in Identity earlier this year, and Yubico was also a Featured Company in OWI’s 2018 Identity and Access Management report for its innovations in the IAM space.

OWI Insight: Phishing attacks from fraudulent emails remain a dangerous threat and a costly challenge for corporations of all sizes. An FBI Public Service Announcement with data from the Internet Crime Complaint Center revealed that between October 2013 and May 2018, there were 78,617 email scam incidents worth approximately $12.5 billion globally. The last 18 months of data show a 136 percent increase in identified losses. The success seen by Google — zero successful phishing attacks among 85,000 employees over nearly a year and a half — cannot be denied. Cybersecurity-conscious companies should consider following Google’s lead, and providing cost effective and proven security measures to their employees to access sensitive work-related materials. Some may view hardware as an outdated security method, but Google’s success shows that hardware continues to be a proven way of enhancing security.