July 23, 2018

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity.

A YubiKey Security Key made by Yubico. The basic model featured here retails for $20.

Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device).

A Google spokesperson said Security Keys now form the basis of all account access at Google.

“We have had no reported or confirmed account takeovers since implementing security keys at Google,” the spokesperson said. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”

The basic idea behind two-factor authentication is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor.

The most common forms of 2FA require the user to supplement a password with a one-time code sent to their mobile device via text message or an app. Indeed, prior to 2017 Google employees also relied on one-time codes generated by a mobile app — Google Authenticator.

In contrast, a Security Key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers.

Once a device is enrolled for a specific Web site that supports Security Keys, the user no longer needs to enter their password at that site (unless they try to access the same account from a different device, in which case it will ask the user to insert their key).

U2F is an emerging open source authentication standard, and as such only a handful of high-profile sites currently support it, including Dropbox, Facebook, Github (and of course Google’s various services). Most major password managers also now support U2F, including Dashlane, and Keepass. Duo Security [full disclosure: an advertiser on this site] also can be set up to work with U2F.

With any luck, more sites soon will begin incorporating the Web Authentication API — also known as “WebAuthn” — a standard put forth by the World Wide Web Consortium in collaboration with the FIDO Alliance. The beauty of WebAuthn is that it eliminates the need for users to constantly type in their passwords, which negates the threat from common password-stealing methods like phishing and man-in-the-middle attacks.

Currently, U2F is supported by Chrome, Mozilla Firefox, and Opera. In both Firefox and Quantum (the newer, faster version of Firefox), U2F is not enabled by default. To turn it on, type “about:config” in the browser bar, type or paste “security.webauth.u2f” and double-click the resulting entry to change the preference’s value from “false” to “true.”

Microsoft says it expects to roll out updates to its flagship Edge browser to support U2F later this year. According to a recent article at 9to5Mac.com, Apple has not yet said when or if it will support the standard in its Safari browser.

Probably the most popular maker of Security Keys is Yubico, which sells a basic U2F key for $20 (it offers regular USB versions as well as those made for devices that require USB-C connections, such as Apple’s newer Mac OS systems). Yubikey also sells more expensive U2F keys designed to work with mobile devices.

If a site you frequent does not yet support WebAuthn, please consider hardening your login with another form of 2FA. Hundreds of sites now support multi-factor authentication. 2fa.directory maintains probably the most comprehensive list of which sites support 2FA, indexing each by type of site (email, gaming, finance, etc) and the type of 2FA offered (SMS, phone call, software token, etc.).

In general, using SMS and automated phone calls to receive a one-time token is less secure than relying on a software token app like Google Authenticator or Authy. That’s because thieves can intercept that one-time code by tricking your mobile provider into either swapping your mobile device’s SIM card or “porting” your mobile number to a different device. However, if the only 2FA options offered by a site you frequent are SMS and/or phone calls, it is still better than simply relying on a password.

While we’re on the subject of multi-factor authentication, I should note that Google now offers an extra set of security measures for all of its properties called Advanced Protection. Exactly how Google’s Advanced Protection works (and the trade-offs involved in turning it on) will likely be the subject of another story here, but Wired.com recently published a decent rundown about it. Incidentally, this article includes a step-by-step guide on how to incorporate Security Keys into Advanced Protection.

I have been using Advanced Protection for several months now without any major issues, although it did take me a few tries to get it set up correctly. One frustrating aspect of having it turned on is that it does not allow one to use third-party email applications like Mozilla’s Thunderbird or Outlook. I found this frustrating because as far as I can tell there is no integrated solution in Gmail for PGP/OpenGPG email message encryption, and some readers prefer to share news tips this way. Previously, I had used Thunderbird along with a plugin called Enigmail to do that.

Update, 4:09 p.m. ET: An earlier version of this story incorrectly stated that password manager LastPass supports U2F with Yubikeys. Several readers commented that LastPass in fact does not support U2F, despite literature on the company’s site that seems to suggest otherwise. I checked with the company, and they confirmed that only Yubikey plus a one-time password (OTP) will work with LastPass for now. From their statement:

“Although supported by some large organizations, including Google and Github, U2F still doesn’t have widespread support among web sites. Although we have been following its progress since it was first announced, LastPass does not support U2F at this time. Only Yubikey with OTP will work with LastPass right now. However, since Yubikey added U2F to their keys, they have a dual OTP+U2F mode, which is the default. The chip on the key can tell whether the computer is asking for the OTP or U2F, and to send the right response.”

187 thoughts on “Google: Security Keys Neutralized Employee Phishing

  1. Paul Waite

    We provide access to our insureds with a product called TokenOne.

    Part of a current NIST eCommerce project that provides the only Quantum Resistant Authentication 2FA solution.

  2. The Sunshine State

    I use a USB key with a Gmail account , it’s pretty easy to set up

  3. Jim

    I would agree with you, but.
    Oh, excellent article as usual, well thought out, and informative.
    But, okay, I can see one secure account for personal iddentification, but, why get that information over the least secure method of communication? It is not against the law to intercept those communications, record and study them. It is against the law to Intercept snail mail. Etc. And there are “rules” about interception of snail mail. None of electronic communications ications says, this is who I am, this is where I am, what it says is there is a machine that “may” represent me, there. Snail mail rules say I am here once a day. Or a known representative of me is here once a day. Which one is more secure to get a needed piece of information to me?

  4. Mark

    Security Keys sound very promising. One thing not mentioned in this article is the potential to integrate these cyber security key devices with a physical access/smart card capability. This win-win would integrate both into one form/factor. Also, employees would be more likely to take the device with them when they leave their desk, and therefore, more often, lock their screens.

  5. Eric Milbrandt

    You might try Mailvelope chrome extension for integrated Gmail GPG encryption.

  6. Mark

    Security Keys sound very promising. One thing not mentioned in this article is the possibility of integrating these cyber security key devices with a physical access/smart card capability. This win-win would integrate both into one form/factor. Also, employees would be more likely to take the device with them when they leave their desk, and therefore, more often, lock their screens.

    1. Andrew

      There’s plenty of prior art here… You should review PIV cards, which commonly add a third factor.

      1. SalSte

        PIV cards are quite usable, but the setup and configuration isn’t quite as easy. Only business class laptops have integrated card readers, and they’re all but useless for Mac users without additional software since Apple removed native smart card support back in OS X 10.7.

        I’m all for a company offering PIV or smart card capability. I’d even enforce its use for my business and try to get my customers to use it as well, but until the cost of the infrastructure goes down it’s just not going to be that feasible for the average user.

  7. Mahhn

    Do they have tokens for Android/iPhone use? or are they considered safe, like Linux and mac supposedly were from viruses.
    Token or not, google still has full access to all gmail accounts, so, so much for it making gmail secure.

  8. Bob Perrin

    Re: “…no integrated solution in Gmail for PGP/OpenGPG email message encryption,…”

    I use “Mailvelope” to check signatures on Microsoft Security Notifications. It’s easy to do, once installed, along with whatever keys you are going to use. Just scroll down to the bottom, where the signature is and click on the red box that Mailvelope overlays the signature with. After the separate window opens. containing the body of the message, scroll to the top to see whether the banner is green or not. Strangely, it doesn’t display any links found in the message body. After verifying the signature, I usually just close the separate message box.

    An encrypted message can be handled in similar fashion, provided you have pre-loaded the key in your keyring (you’ll need to keep the box open to read the cleartext message).

    The main downside I’ve found is that it doesn’t use the same keyring that gnupg uses so you need to maintain two keyrings.

  9. richard vanderwal

    Solid article -always looking forward to your articles…Question? and forgive my naivety – but couldn’t a emulator of the USB token and MITM attack actually circumvent the access controls setup by U2F

  10. Bert

    Looks promising. Great piece! 2 questions come to mind:

    What does the recovery process look like? Suppose Inlose my Yubikey, shat then?

    Also, do I need to touch the Yubikey every time I want to log in somewhere? Or is having it plugged in sufficient?

    1. Jeff Frederick

      You can register multiple security keys with Gmail. If you lose one, you can use the second to login and remove the lost key from your account. I recommend getting 3 keys and registering them all.

      1. Kary

        Can you have the backup key(s) be the basic $20 model and the main key be the more expensive NFC model?

  11. Joseph Neumann

    Misleading arictle and needs clarification. Gmail users get phished constantly and are successful. This is just mitigating account credential harvesting. This solution doesn’t solve malicious links and attachments via phishing. 2 fa tokens have been around for a while now.. why are you making this seem like a novel concept.

    1. Andrew

      It was pretty clear in the first line… Where it says 85k employees and work email…

      We’re not talking about the rest of the Gmail population…

    2. Ickster

      From the first sentence of the article: “Google has not had any of its 85,000+ employees . . . ”

      It’s illustrating that since Google made SecurityKeys mandatory for employees, none of them have been phished. Obviously, that’s not mandatory for Gmail users at large, so they are still vulnerable to phishing.

      Yes, 2FA has been around for a while, but SecurityKeys are far and away the most secure implementation available today. Hence the article.

    3. BrianKrebs Post author

      What, exactly, do you feel needs to be clarified? The nut of the story was about how Google has managed to nullify the effects of phishing using security keys for its employees, not for all Gmail users. Also, the story doesn’t say Google employees don’t get phished, or that they don’t sometimes give away credentials. The point is that if you have Keys enabled for your Gmail account, it makes it way harder for thieves to exploit those stolen credentials (assuming the phished person isn’t also in the habit of re-using those credentials somewhere else).

      Finally, I learned quite a bit while researching and writing this article, and that is my basic bar for deciding whether something is worth writing about. IMHO, one can never do enough evangelizing on this topic.

  12. Mike Cook

    Understand the value of MFA and U2F for Access Control, and certainly to prevent Account (mail) takeovers. But don’t get the direct impact to Phishing? How does Access Control reduce or eliminate Phishing (receipts), and people responding to a Phishing email received?

    Seems the headline could reference Account Takeover (ok, a variant of phishing) insteat.

    As always – appreciate all the great Krebs work!

    1. Rich

      One time codes can be phished along with passwords. Just ask for an otp code on the phishing site, then make sure to use it before it expires.

  13. Philip

    No mention of Gibson’s SQRL Brian? Even the creator of FIDO told him at a conference that his protocol was even better than FIDO’s. Here’s to SQRL adoption being the standard when it’s released soon.

    1. arbee

      Secure Quick Reliable Login (SQRL)


      appears to have a lot going for it … except users. The web page was most recently updated 2 Aug 2015, not quite 4 years ago. Successful marketing isn’t irrelevant to a product’s adoption.

      SQRL does seem relevant to this story, but I lack the expertise to compare it to alternatives.

  14. Kip A Boyle

    While U2F is encouraging, there’s more work to be done to combat phishing. I expect a Business Email Compromise (BEC) or a Remote Access Trojan (RAT) installation is still possible even with a security key in use.

  15. Paul

    Re the Android query above:

    I use my Yubikey Neo to umlock my Lastpass app on my Android phone using NFC.

    1. Brian

      Now you’re at $50 per key and a smartphone recent enough to support the relevant NFC spec.

  16. Paul S

    Sadly Vanguard does not recognize Firefox as an acceptable browser even after turning on that function. Not sure whether due to an incomplete implementation in Firefox (I’m using 61.0.1) or a lack of interest by Vanguard in trying to make their security key acceptance more robust. Currently Vanguard claims ONLY Chrome version 41 or newer is acceptable. I have 2 Yubikeys but really prefer to use Firefox as my browser.

    1. Robert

      Firefox is kinda irrelevant to this article.

    2. Moike

      Facebook also doesn’t work with Firefox and a Yubikey, although it works with Chrome.

    3. Moike

      The Vanguard solution as implemented today does not appear to be added security over SMS codes; only a convenience. Just as the fallback to knowing only answers to security questions get around the strongest password, the fallback to SMS codes gets around a security key. So today it is only a timesaving convenience over SMS codes.

      But with policy changes, they can choose to apply the key differently in the future.

  17. Mike

    One thing is clear from your article: Security must be simple and straightforward in order to work. When Brian Krebs has trouble getting security to work, the average user who is computer illiterate is not going to use it or get it to work.

    This kind of device seems to me the best answer in large part because it does one job. Since it does one job, it is not likely to be changed the way cell phones are.

    The industry needs to get behind one standard and support it. The excuses about the industry being in its infancy, latest technology have worn mighty thin. The bad guys can win if the good guys can’t lose their egos and get their **** together.

    1. BrianKrebs Post author

      Mike, to be clear, my issues were with setting up Google’s Advanced Authentication, which in general is not geared toward the average user. It is necessarily restrictive, and if you lose your keys with it turned on Google may enforce a “cooling off” period of several days before you can successfully regain access to your account. I would not recommend this approach to everyone, but mainly to those for whom a phishing attack could be devastating to themselves or to others (as in potential loss of life, liberty, employment, etc).

  18. Mark Perew

    The form factor for 2FA still needs to sorted out. For work, I’m required to use a “fob” which provides a temporary PIN that will authenticate me on any appropriately configured device. YubiKey must be physically plugged into a device. Since I read personal email on 3 different devices that do not support identical physical connectivity, YubiKey is not a viable option.

  19. Ron HD

    I’m a little surprised by the assertion near the end that SMS 2FA is better than password alone. From the recent boom in porting scams, it seems easier to port someone’s number away from them than to get their password. Even the PINs some people set to prevent unauthorized porting have been easily compromised, either by flaws in the phone companies’ systems, or by bribing insiders.

    If you’re using a password manager with secure non-shared passwords, a password compromise affects a single account. An unauthorized port compromises every account you have that uses SMS 2FA, and leaves you with very little recourse. And mobile phone providers have been refusing to address the problem, or even admit there is a problem.

    1. BrianKrebs Post author

      Number porting and SIM swap attacks were mentioned in the story as caveats. Just because something can be defeated doesn’t mean it is not worth doing. Adding 2FA of any kind can help slow down or deter attacks in favor of lower-hanging fruit.

      Is it ideal? Absolutely not. But this is a great example of how so many people in the security industry discourage people from taking steps available to protect themselves because the solution offered doesn’t solve ALL of the problems. I think too many security experts do the average user no favors in this regard.

      1. Eric W

        This is a tough one. While, yes, adding 2FA generally seems like a no brainer in comparison to a password alone, the original comment has a point here. By adding 2FA by SMS you are essentially adding another attack vector that would allow someone to gain access to your accounts without ever needing to crack a password. I agree with the original commenter that a password manager with unique passwords for every site is likely safer than using SMS 2FA.

        On the other hand, if you reuse passwords and/or make them easy enough to brute force hack, then yes, please use SMS 2FA to further protect yourself.

  20. Ren

    When I saw the title of the article, I though it referred to those rsa securid tokens the give a different number every minute.

  21. Jay

    These keys are great … when you can use them. Which most of the time is not, and even when you can, it makes no difference if the site’s options don’t take full advantage of what the key can do.

    I’ve had a Yubikey for years now, and it’s supported on precisely one website I use … Vanguard, the investment company. (I don’t use Facebook, and I don’t code for a living, never needed github or dropbox.)

    Even on that site, I don’t usually use it. Because the site requires you to be using Google Chrome when you’re logging in using the Yubikey. If you log in using Firefox (my browser of choice since I’m on Qubes), it defaults to sending you an SMS code. As we have seen, Google is pretty good for security, but bad for privacy. I don’t use Chrome if I can help it.

    Seriously, the only thing an attacker has to do to defeat the Yubikey is switch browsers. I don’t see anything the Yubikey does for me security-wise, other than maybe get me back in if the attacker has changed my password (but not if, say, s/he is smart enough to go into the account options and disable the key while s/he’s in there).
    This is exactly the site that you would hope would take full advantage of the benefits of a Yubikey. One where there is real incentive for an attacker to do some homework on you and coordinate with all the social engineering tricks, and do real damage. But nope, nobody seems to think that maybe the customer might want to lock out anyone who does not have that key, no ifs ands or buts.

    Sites mostly do not seem to use Yubikey as a security device, but as a convenience so as not to have to manage passwords. I’ve given up on security keys for now, unless sites start implementing them better.

  22. Tom Morris

    A question of semantics. Were no employees succesfully phished? Or did the added control of physical security keys nullify/neutralize the threat?

    Your headline uses neutralize; the wording of the reported statement implies nobody was successfully phished. I find that *quite* hard to believe.

  23. Jay

    You could use Virtru for your encryption option. It is easy to install and use. There is an extension for it in the Extensions marketplace.

  24. Ollie Jones

    I’ve had one of these U2F Yubikeys riding in my pocket on my keyring for about a year now.

    It seems to be robust.

  25. Greg Silverman

    Anyone who can take physical possession of a Secure Keys can impersonate the authorized user. A pick-pocket could “borrow” the key and return it later. How secure is that?

    Do Secure Keys need to remain inserted to maintain access to a service? Are users required to remove the key after authentication is complete? If not, given human nature, it seems likely they will be left unattended which would allow others to “borrow” the key and gain access.

    1. Riley Dumont

      Yes, they could steal the key but it adds an extra step a hacker has to take.

      Ideally you want three factors of authentication: Something you know (like a standard password), something you have (like these ubikeys), and something you are (like a fingerprint, voice authentication, or something of the sort)

      Ideally we want a world where all three of these need to be authenticated to ensure that *you* used a key in your possession, and implied (somewhat) consent to the log in with your password, because in a perfect world you chose a good one that only you know, you weren’t phished, and the site you’re using stores passwords well by salting, encrypting, etc.

      These physical devices are not an end-all solution to security, but they are an important extra step an attacker would have to make and discourage them getting into your account. Especially an attacker abroad.

    2. Aexia

      The key is just the second factor. You still need the username and password.

      So yes, if someone’s stolen your password AND physically stolen your yubikey, you can be compromised.

      But for the other 99.9999% of users, it’ll be pretty ironclad.

    3. Ollie Jones

      No, the key doesn’t need to remain in the USB slot once you’ve touched the button and had the authentication accepted.

      There are versions of the keys (pricier) designed to leave in the slot. You don’t have to use those. And, they open up some of the same threats as putting your password on a sticky note under your keyboard.

      Can a badguy steal your keyring? Of course. But I don’t think we’ve had an incident yet where leaked passwords and stolen keys were used together.

  26. Kyle Lyons

    Would you happen to know why this only happened after they switched to physical tokens? Is their own 2FA authentication app solution insecure in some way, or was it just a matter of enforcement – getting everyone to set up and use the app?

    1. Aexia

      Phishers can setup their site to ask you to enter your 2FA code after getting you to enter your password. It’s more work but it’s still a vulnerability. U2F essentially hashes against the domain so even if there’s a MITM attack, the auth they get won’t be valid.

      You could probably get around that by compromising the browser first but that’s another big barrier.

  27. Edward Greene

    Hi Brian,

    Great article and useful. Additional layers are always helpful. The article makes no mention of HTML malware and other browser compromises. My understanding is that those can/will circumvent these authentication techniques. Is this the case and how do you think Google has avoided those? I am sure they are using extensions, which seem vulnerable as well. Thx,

  28. Ron Davis

    Brian – you say that “Previously, I had used Thunderbird along with a plugin called Enigmail to do that.”

    I’ve been using a product called Virtru for a while that (it says) allows end-to-end encryption for my web-based mail. It is a third party add-on which does require me to allow them access to my mails. But on the Virtru site, they say all the right things about privacy.

    Wondering if you have any thoughts about Virtru, and whether it might replace Enigmail for you.

    Thanks for your great work.

  29. Al

    Maybe Google can give the rest of us an option to use hardware devices for sign-in more securely, and stop defaulting the “always remember this computer” check box to true. Or at the very least provide an account-level option for the default.

  30. Sam G

    So when will Gmail recognize that Firefox has U2F support? I bought myself some Yubikeys late last year in hope of taking advantage of that… but last I checked, Gmail still did not recognize the support. I refuse to use Chrome.

    1. BrianKrebs Post author

      Sam, did you see the part in the story that says while Firefox supports U2F, it is a feature that needs to be manually turned on:

      Currently, U2F is supported by Chrome, Mozilla Firefox, and Opera. In both Firefox and Quantum (the newer, faster version of Firefox), U2F is not enabled by default. To turn it on, type “about:config” in the browser bar, type or paste “security.webauth.u2f” and double-click the resulting entry to change the preference’s value from “false” to “true.”

      1. Mike Fox

        I think the problem is that some sites aren’t checking the U2F flag and are probably just checking against the useragent string. Turning U2F support on in Firefox isn’t going to help in those cases.

        Setting the useragent in Firefox to Chrome > 61 may help in that case, anyone willing to try it out?

Comments are closed.