Google Eliminated Phishing by Giving All 85,000 Employees USB Security Keys

Google Eliminated Phishing by Giving All 85,000 Employees USB Security Keys

We’ve all been trained not to give out our passwords, but online criminals are getting ever more clever. Phishing scams have effectively tricked uncountable people into compromising their online security, and one of the best ways to stop it is two-factor authentication. Even technologically savvy people can be fooled by clever hackers, though. According to Google, it solved the phishing problem by giving everyone a hardware security dongle. They only cost a few bucks, so that’s an amazing deal.

For the unaware, phishing is simply the practice of stealing sensitive account information by posing as a legitimate entity. For example, a password reset email that appears to be from your bank could simply be trying to fool you into entering your login details on a fake page. Spear phishing is a more targeted version where the attackers go after a specific person or group of people. This is something that Google deals with a lot because its employees have access to a wealth of valuable information.

Using two-factor authentication makes it vastly more difficult to break into someone’s account. Logging into an account with two-factor requires something you know (your password) and something you have (usually a single-use code). Google switched to physical security keys in early 2017 as a replacement for code generators or phone alerts. It says none of its 85,000 employees have been successfully phished since. Previously, Googlers used the Google Authenticator app to generate codes for logging into their accounts.

Google Eliminated Phishing by Giving All 85,000 Employees USB Security Keys

Security keys, like the popular YubiKeys used at Google, utilize the Universal 2nd Factor (U2F) standard to store a unique access token on a small USB device. Simply plug that into your computer, and you can log into your account. There are old-style USB-A versions as well as newer USB Type-C dongles that support both computers and phones. A few even support NFC to wirelessly authenticate on Android phones.

U2F security keys work with many online services like Google, Dropbox, LastPass, Github, and more. They work with Chrome, Firefox, and Opera browsers. For someone to compromise those accounts when secured with the physical key, they need to phish your login details and then steal the key from you in real life. That’s infinitely more difficult than sending clever scam emails from the other side of the world.

If you want to start using a security key on your accounts, you can get them for as little as $20.

Continue reading

Hackers Use Phishing Emails to Harvest Two-Factor Gmail Codes
Hackers Use Phishing Emails to Harvest Two-Factor Gmail Codes

Conventional wisdom says that adding two-factor authentication (2FA) will keep your accounts safe from most phishing scams, but a new wave of sophisticated automated attacks is reminding us it isn't infallible.