Google Leverages Hardware Security Keys To Protect Employees From Phishing Scams
Everyone has to deal with scams and phishing attempts online today, even Google. To protect its workers from phishing scams that could result in the theft of IP, Google took advantage of security keys for all its 85,000 workers. Since that roll out, no accounts have been compromised. The keys are USB-based security devices, such as the YubiKey pictured below, that offer an alternative to two-factor authentication. In two-factor authentication, a person must know the username or login for a website and have something like a key or an app for the second part of the authentication.
"Users might be asked to authenticate using their security key for many different apps/reasons," said a Google spokesperson. "It all depends on the sensitivity of the app and the risk of the user at that point in time."
The security key uses Universal 2nd Factor (U2F) authentication. Essentially, Google is doing is securing the accounts of its workers by using an authentication method that won't allow access to an account even if the user were to give a hacker their username and password information. Without having the security key, the other authentication credentials are worthless. Before moving to the security key devices, Google relied on its own Google Authenticator app.
The keys are also easier to use; all the worker must do is plug the security key into the USB port of the computer and press the integrated button and they are logged in. No special drivers or software are needed. Once the device is enrolled for a specific website that supports security keys, the user no longer has to enter a password at that site. If they try and access an account for the same site via a different device, they will be prompted to enter their key.
U2F authentication is described as an emerging open source standard and for now only a few sites support it. Supported sites include Dropbox, Facebook, GitHub, and Google services. Password managers are supporting U2F as well including Dashlane, Keepass, LastPass, and Duo Security. Browsers supporting U2F include Chrome, Mozilla Firefox, and Opera. However, Firefox and Quantum don't enable U2F by default. Microsoft will update Edge later this year for support and there is no word on if Apple will support it.