Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity.
Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device).
A Google spokesperson said Security Keys now form the basis of all account access at Google.
“We have had no reported or confirmed account takeovers since implementing security keys at Google,” the spokesperson said. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”
The basic idea behind two-factor authentication is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor.
The most common forms of 2FA require the user to supplement a password with a one-time code sent to their mobile device via text message or an app. Indeed, prior to 2017 Google employees also relied on one-time codes generated by a mobile app — Google Authenticator.
In contrast, a Security Key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers.
Once a device is enrolled for a specific Web site that supports Security Keys, the user no longer needs to enter their password at that site (unless they try to access the same account from a different device, in which case it will ask the user to insert their key).
U2F is an emerging open source authentication standard, and as such only a handful of high-profile sites currently support it, including Dropbox, Facebook, Github (and of course Google’s various services). Most major password managers also now support U2F, including Dashlane, and Keepass. Duo Security [full disclosure: an advertiser on this site] also can be set up to work with U2F.
With any luck, more sites soon will begin incorporating the Web Authentication API — also known as “WebAuthn” — a standard put forth by the World Wide Web Consortium in collaboration with the FIDO Alliance. The beauty of WebAuthn is that it eliminates the need for users to constantly type in their passwords, which negates the threat from common password-stealing methods like phishing and man-in-the-middle attacks.
Currently, U2F is supported by Chrome, Mozilla Firefox, and Opera. In both Firefox and Quantum (the newer, faster version of Firefox), U2F is not enabled by default. To turn it on, type “about:config” in the browser bar, type or paste “security.webauth.u2f” and double-click the resulting entry to change the preference’s value from “false” to “true.”
Microsoft says it expects to roll out updates to its flagship Edge browser to support U2F later this year. According to a recent article at 9to5Mac.com, Apple has not yet said when or if it will support the standard in its Safari browser.
Probably the most popular maker of Security Keys is Yubico, which sells a basic U2F key for $20 (it offers regular USB versions as well as those made for devices that require USB-C connections, such as Apple’s newer Mac OS systems). Yubikey also sells more expensive U2F keys designed to work with mobile devices.
If a site you frequent does not yet support WebAuthn, please consider hardening your login with another form of 2FA. Hundreds of sites now support multi-factor authentication. 2fa.directory maintains probably the most comprehensive list of which sites support 2FA, indexing each by type of site (email, gaming, finance, etc) and the type of 2FA offered (SMS, phone call, software token, etc.).
In general, using SMS and automated phone calls to receive a one-time token is less secure than relying on a software token app like Google Authenticator or Authy. That’s because thieves can intercept that one-time code by tricking your mobile provider into either swapping your mobile device’s SIM card or “porting” your mobile number to a different device. However, if the only 2FA options offered by a site you frequent are SMS and/or phone calls, it is still better than simply relying on a password.
While we’re on the subject of multi-factor authentication, I should note that Google now offers an extra set of security measures for all of its properties called Advanced Protection. Exactly how Google’s Advanced Protection works (and the trade-offs involved in turning it on) will likely be the subject of another story here, but Wired.com recently published a decent rundown about it. Incidentally, this article includes a step-by-step guide on how to incorporate Security Keys into Advanced Protection.
I have been using Advanced Protection for several months now without any major issues, although it did take me a few tries to get it set up correctly. One frustrating aspect of having it turned on is that it does not allow one to use third-party email applications like Mozilla’s Thunderbird or Outlook. I found this frustrating because as far as I can tell there is no integrated solution in Gmail for PGP/OpenGPG email message encryption, and some readers prefer to share news tips this way. Previously, I had used Thunderbird along with a plugin called Enigmail to do that.
Update, 4:09 p.m. ET: An earlier version of this story incorrectly stated that password manager LastPass supports U2F with Yubikeys. Several readers commented that LastPass in fact does not support U2F, despite literature on the company’s site that seems to suggest otherwise. I checked with the company, and they confirmed that only Yubikey plus a one-time password (OTP) will work with LastPass for now. From their statement:
“Although supported by some large organizations, including Google and Github, U2F still doesn’t have widespread support among web sites. Although we have been following its progress since it was first announced, LastPass does not support U2F at this time. Only Yubikey with OTP will work with LastPass right now. However, since Yubikey added U2F to their keys, they have a dual OTP+U2F mode, which is the default. The chip on the key can tell whether the computer is asking for the OTP or U2F, and to send the right response.”