Google reveals how it stopped phishing attacks for good

null

Google has revealed its way of cutting out phishing attacks completely.

The technology giant has said that using physical Security Keys has helped it almost entirely eradicate phishing attacks targeting its workers.

The low-cost items do away with the need for passwords or one-time codes sent by SMS, which have been previously hijacked to attack organisations around the world, with a different way of ensuring two-factor authentication (2FA). 

Instead, the key plugs directly into an employee's work machine via USB-A or USB-C port, with the worker then tapping a button on the key to sign in.

Google phishing defence

Speaking to Krebs on Security, Google said that since introducing the use of Security Keys in early 2017, it has not seen a single successful phishing attack or case of account takeover against any of its 85,000 employees across the world.

“We have had no reported or confirmed account takeovers since implementing security keys at Google,” the company said in a statement. "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time."

Despite still being a key that users could lose or misplace, security keys such as those produced by Yubikey have long been touted as a more secure option for workplace sign-ins and security. The keys form part of a form of authentication known as Universal 2nd Factor (U2F) which means that once approved, the user would not need to enter a password to log in to a certain account or website.

Google has backed the technology for sometime, with support for the authentication system used by the keys already active in Chrome, with websites such as Facebook, Github and Dropbox also supporting U2F, however other browsers are yet to offer support by default.

Via Krebs on Security