In 2017, Google required its 85,000 employees to make the switch from single-use two-factor authentication codes to physical security keys. The move has paid off: Since implementing the physical security keys, no Google employee has been phished.
Before that point, Googlers used Google Authenticator for multi-factor authentication. The app generates one-time codes employees used in addition to a traditional password. With a USB security key, Krebs On Security explains, the user no longer needs to enter a password at all on a site, as long as they’ve got the key on hand. You just plug it in and press a button. Google employees use their keys for a variety of different reasons depending on things such as the sensitivity of an app or the risk of the user at a particular point in time.
“We have had no reported or confirmed account takeovers since implementing security keys at Google,” a Google spokesperson told Krebs On Security. Back in 2017, both Google and Facebook employees were suckered into a $100 million phishing scam.
Security keys follow the Universal 2nd Factor (U2F) standard, which hasn’t yet been super widely adopted across the internet. It is used by a handful of popular sites such as Facebook, Github, and Google’s apps, as well as a number of password managers. It’s also supported by browsers including Firefox, Chrome, and Opera. Physical keys are typically considered more secure than two-factor—particularly SMS-based two-factor authentication since SMS messages can be intercepted. However, in the case that you lose the physical key…well, that’s a big problem.
With Google’s glowing testimonial, it’s possible that USB security keys, like those made by Yubico, could become more popular and widely adopted. At the very least, it seems to be some solid proof that physical keys are at least as secure as two-factor—and infinitely more secure than passwords alone.
Though Google hasn’t experienced any successful phishing attempts since its switch, we do wonder about how many lost employee USB keys it has had to replace.