Physical security keys in place of passwords have proven effective for Google and other large sites.
Google has successfully kept more than 85,000 employees from getting phished on their work-related accounts since 2017. According to reporting from KrebsOnSecurity, physical security keys are to thank for that.
Security keys are physical USB-based devices that can be used as an alternative to the standard two-factor authentication (2FA) process.
SEE: Information security policy (Tech Pro Research)
A 2FA process is meant to ensure that if a thief steals a user's password, they aren't able to access the user's account because they don't have an additional factor (e.g., the user's mobile device) needed to complete the login process.
The security key process proves more secure. According to the report, security keys function on a multi-factor authentication known as Universal 2nd Factor (U2F). The key allows the user to log in by inserting the USB device and pushing a button on the device, which means that without the physical key, a malicious actor cannot successfully log in as the employee. This doesn't mean that Google employees haven't possibly clicked on a malicious link in an email, for example, but that the phishing attempt didn't successfully exfiltrate any company data.
In addition to Google, many other high-profile sites including Facebook, GitHub, and Dropbox are supporting similar U2F processes, according to the report. U2F is currently supported by Google Chrome, Mozilla Firefox, and Opera. However, the report noted that U2F is not enabled by default in Firefox.
SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)
Software giants Microsoft and Apple have yet to roll out support for U2F browsers, but Microsoft said its upcoming Edge browser will support U2F later this year, according to the KrebsOnSecurity report. Apple hasn't announced any plans on whether or not its standard Safari browser will support U2F.
Until a U2F system is commonplace and supported by all sites, users can protect themselves from phishing attacks by following these 10 tips from TechRepublic's Brien Posey.
The big takeaways for tech leaders:
- Google successfully protected its 85,000 employees from getting phished on their work accounts by utilizing physical security keys as part of a 2FA strategy.
- U2F processes could become commonplace within the next few years as large companies are beginning to adopt the security measure.
- What is phishing? Everything you need to know to protect yourself from scam emails and more (ZDNet)
- Password managers: How and why to use them (free PDF) (TechRepublic)
- The $18 'key' that will protect your Facebook and Google account, log you into your PC or Mac, and more (ZDNet)
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Here are the 'most clicked' phishing email templates that trick victims (TechRepublic)