Phishing attacks are deceptively successful against less experienced users, but even those that consider themselves reasonably technical can occasionally fall prey to the simple approach. According to a recent report by Krebs on Security, Google and its employees aren’t among the 76% of businesses that have been victims of phishing attacks in the last year. In fact, not one of the company’s employees work accounts been successfully phished since 2017, thanks to hardware 2FA security keys.
For the uninitiated, 2FA comes in more than software-based authenticator/SMS flavors. You can just as easily make “what you have” a separate hardware device. That also means socially engineered hacks which could intercept the (laughably insecure) SMS-based 2FA systems used by many companies would have no effect on someone using a hardware key.
A spokesperson from Google informed Krebs on Security that hardware-based security keys are required for all account access for Google’s employees—89,000+ at the time of writing according to the Q2 2018 financial report, rather than the 85,000+ initially claimed. The spokesperson further said that, since 2017, “we have had no reported or confirmed account takeovers since implementing security keys at Google.” The hardware keys in use by the company use the open U2F authentication standard developed by Google together with Yubico and NXP.
At the time of writing, not all companies or services are compatible with the U2F standard for hardware security keys, though Chrome has supported it since Version 38, allowing Google account holders to use them for 2FA during the login process. Not all browsers are compatible, either, with only Firefox and Opera supporting U2F—no Edge or Safari (yet). Other services like Dropbox, Facebook, GitHub, Twitter, Salesforce, and several password managers play nice with U2F, though Krebs on Security notes that the Web Authentication API standard, if implemented by more services, would also make them compatible.
Let’s hope as more companies move to these new standards and begin introducing U2F support, they can also drop the ridiculous SMS-based 2FA keys and their pantomime of security. One need only point at Google’s total circumvention of all phishing-based attacks in the last year as proof that hardware keys work better.