Mandatory Keys Cut Successful Phishing Attacks on Google to Zero
Google might have just made itself the most significant example of how security keyscan work better than other forms of multi-factor authentication. According to Krebs on Security,ever since Google required over 85,000 of its employees to use physical security keys instead of one-time codes in 2017, it hasn't had a single case of account takeover from phishing. "We have had no reported or confirmed account takeovers since implementing security keys at Google," a company spokesperson said. "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time."
Security keys like the one made by Yubikey give you a way to log into a website by merely plugging it in and pressing a button. You don't even need to type in your password anymore, much less generate a one-time code. While the method has its weakness, considering it relies on a physical item you can lose, it's considered safer than two-factor authentication, especially the type that sends you codes via SMS. Hackers could intercept messages sent to your device, after all, and gain entry to your account that way.
Unfortunately, Universal 2nd Factor (U2F) – that's what you call the type of multi-factor authentication that uses physical keys – support is pretty limited at the moment. You can already depend on it for protection on Chrome, but you'd have to manually activate it on Firefoxby going to "about:config" first. Microsoft won't be rolling out U2F compatibility for Edgeuntil later this year, and Apple has yet to reveal whether Safari will ever support the standard. Further, only a few websites and services can use it, including Facebook and password managers such as Keepass and LastPass. It remains to be seen if Google's positive experience with the standard can help it become more widespread, but it's the kind of meaningful testimonial that could give it a massive boost.