Two-factor authentication is increasingly becoming a requirement to protect online accounts from phishing attacks. With methods ranging from SMS to prompts, one of the more secure forms involves Security Keys, with Google highlighting the success of rolling out these devices.
In a statement to Krebs on Security today, Google detailed how its over 85,000 employees have not been “successfully phished on their work-related accounts” after the company mandated the use of these keys in early 2017.
“We have had no reported or confirmed account takeovers since implementing security keys at Google.”
These affordable, physical devices replaced passwords and one-time codes at Google. Connecting to computers via USB-A or USB-C, Security Keys feature a button that users are asked to tap when signing in.
Two-factor (2FA) comes in variety of methods with Google defaulting to the “Google Prompt” on its services. When users log into an app or service, a confirmation prompt, with details like computer and location, are sent to trusted mobile devices. On Android, these alerts are built into Google Play services, while on iOS these 2-step verification prompts open in the Google app or Gmail.
This new default replace one-time codes sent via SMS given how SIM spoofing is a common occurrence. Meanwhile, another method involves authenticator apps that generate one-time codes every 30 seconds.
Earlier this year, Google also rolled out an Advanced Protection program that leverages Security Keys to lock down Google accounts. Aimed at journalists, business leaders, and political campaigns, the program also involves limiting what apps can access data, restricting sharing, and blocking fraudulent account access.
YubiKey offers a family of Security Keys ranging from standard (YubiKey 4) to more compact designs that sit flush with USB-A ports. There are also USB-C variants and ones that feature NFC for mobile devices.