The company told KrebsOnSecurity that none of its 85,000 employees have fallen prey to phishing attacks on their work-related accounts since early 2017, when Google began requiring its employees to use security keys instead of passwords and one-time codes for access authorization to various work-related sites and apps. According to a Google spokesperson:
“We have had no reported or confirmed account takeovers since implementing security keys at Google. Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”
A security key is essentially just a USB thumb drive that stores a user’s login credentials and authenticates them. They can be used in lieu of a traditional password or two-factor authentication methods. As KrebsOnSecurity explains:
In contrast, a Security Key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers.
Once a device is enrolled for a specific Web site that supports Security Keys, the user no longer needs to enter their password at that site (unless they try to access the same account from a different device, in which case it will ask the user to insert their key).
In other words, even if a hacker has obtained a Google employee’s username and password, he still wouldn’t be able to access that employee’s data because a login would also require the physical USB security key.
Security keys aren’t just limited to big corporations. Plenty of vendors make consumer-level security keys you can use if you want to add an extra layer of protection to your laptop or the sites you log in to. Currently, the Chrome, Mozilla Firefox, and Opera browsers support security keys, and Microsoft is expected to support them in its Edge browser later this year.