Since switching to physical security keys, there has been no successful phishing attempt on any Google employee. This information was confirmed by a spokesperson of the search giant in a post by Brian Krebs on his website Krebs on Security. The employees of the tech firm, which number more than 85,000, have long used two-factor authentication to protect their accounts against attackers who may have obtained their passwords through phishing or other similar methods. However, before 2017, they relied on one-time codes produced by a security app, like Google Authenticator, to verify their identities. While this method is considerably more secure than receiving one-time codes through text messages or automated phone calls, the search giant still switched to using security keys early last year.
One of the major advantages of using security keys that utilize the open-source standard Universal 2nd Factor (U2F) is its ease of use. If the website or the browser that people use already support the standard, they only need to insert the security key, which usually takes the form of USB-based devices, and then press a button to log-in to their accounts. Furthermore, the security keys do not require users to download and install software drivers. Among the websites that already support the U2F protocol include Google’s services, Dropbox, Facebook, and Github, while browsers like Chrome, Opera, and Firefox also support the use of security keys. However, the support for the U2F protocol is not enabled by default on the Firefox browser. Aside from USB-based physical keys, there are also security keys that use NFC to work with mobile devices.
Nonetheless, multiple organizations are still working to develop better ways to secure people’s accounts from attackers through improved authentication methods. For example, the World Wide Web Consortium developed the Web Authentication API (WebAuthn), which aims to protect users from phishing and other attack vectors by removing the need for users to constantly type in their passwords. Meanwhile, Google also developed its own two-factor authentication method, dubbed as Google Prompt, and it now serves as the default account verification option for G Suite users. This method makes use of other devices wherein the person’s Google account is already logged in, and people can verify their identities with just a single tap.