It appears that the key to thwarting employee phishing is an actual key at Google. As we know, in early 2017, the firm has started making use of physical USB-based security keys. And since its implementation, none of its 85,000-plus workers have been phished on their job accounts, as reported by the Krebs on Security.
The keys function as a substitute to 2-factor authentication, wherein the users initially log into a site making use of a password and after that must insert an added one-time code that is generally sent to their device through an app or a text. A Google spokesperson told Krebs on Security that the security keys are utilized for all account access at the firm.
The spokesperson told the publication, “We have had no confirmed or reported account takeovers since putting security keys into practice at Google. The users may be asked to validate utilizing their security key for several different reasons or apps. It all relies on the sensitivity of the application and the threat of the user at that moment in time.”
Prior to2017, the staff at Google used one-time codes produced by the Google Authenticator application, as per Krebs on Security. However, a security key—that vends for as less as $20—makes use of an adaptation of multifactor authentication known as U2F (Universal 2nd Factor). The U2F enables the users to log in by placing in the USB device and shoving a button on it. Subsequent to it, the device is connected to a specific site, the users do not need to insert their passwords anymore.
More websites are implementing the U2F authentication, however, only a small digit at present support it, such as Facebook, Github, and Dropbox, as per Krebs on Security. Further, it is backed by browsers including Firefox, Opera, and Chrome. Reportedly, Microsoft will upgrade its Edge browser later this year to back U2F.