Google says that they have not had a single successful phishing attack for about 18 months following the introduction of physical security keys. These are used in place of passwords and one-time codes, such as those created by tools such as Google Authenticator, which Google’s workforce of more than 85,000 staff were required to use before. Here’s what Google has done.
Google has deployed the US$20 YubiKey Security key. This USB device, according to Krebs on Security, “implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device”. So, rather than asking users to enter a password or use a code generated by an app user credentials are provided using a specific piece of hardware.
Many phishing attacks rely on users providing information to attackers. The threat actors use that information to breach systems and gain unauthorised access to resources on the user’s computer or the rest of the network. However, by requiring both the physical device and an action by the user, attackers are thwarted as they can’t take a stolen user credential and use it remotely.
While one time codes are popular – for example, many banks use them to authenticate online transactions – they can be intercepted by determined thieves by using techniques such as SIM spoofing.
U2F support is already baked into a number of security products including the popular LastPass, Dashlane and Keepass password managers. It’s also supported in Firefox and many Google services, including Chrome can use U2F. Support is also coming to Microsoft Edge but Krebs reports that Apple has not said when they’ll be supporting it in Safari.
Many major breaches start with the compromising of a user account. And while poorly configured internal security controls allow attackers to move from system to system once they compromise a user account, standards like U2F make that harder.