Google says none of its employees have been phished since it switched to security keys

midian182

Posts: 6,013   +50
Staff member

“We have had no reported or confirmed account takeovers since implementing security keys at Google,” said the tech giant, in a statement to Krebs on Security.

"Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time."

Security keys replace the more common form of two-factor authentication that relies on sending SMS messages with an included code. The cheap, USB devices require users to insert the key and hit the button when signing in. They’re considered safer than the other types of 2FA, where hackers can intercept the messages sent to a device using techniques such as SIM spoofing.

Anyone who unwittingly handed over their credentials via a phishing email won’t have their accounts breached unless the malicious actors also possess the security keys. The only real security concern comes from the risk of losing them.

Several large sites now support the U2F authentication found in security keys, including Facebook, Dropbox, and GitHub, while password managers such a Dashlane and LastPass can also be configured to support it. In the world of browsers, Chrome supports U2F but it needs to be manually activated on Firefox, and Edge won’t offer support until later in 2018. No word on when or if Safari might adopt it, but expect more companies to come onboard following Google’s praise.

Permalink to story.

 

m4a4

Posts: 1,948   +1,730
TechSpot Elite
2FA should be a standard in the world today. Wherever I can activate it, I do.
It depends on how it's implemented. If you sign in and it allows you to remember the client, then I'm fine with it (and I agree).
But if it requires the extra step every time I sign in (without the choice of remembering my client), then it gets annoying really fast (and I don't agree, at least when it comes to less sensitive data).
 

OutlawCecil

Posts: 737   +562
2FA should be a standard in the world today. Wherever I can activate it, I do.
It depends on how it's implemented. If you sign in and it allows you to remember the client, then I'm fine with it (and I agree).
But if it requires the extra step every time I sign in (without the choice of remembering my client), then it gets annoying really fast (and I don't agree, at least when it comes to less sensitive data).
exactly my view on this
 

Kibaruk

Posts: 3,836   +1,183
Everywhere I have that works exactly like that, except a couple more sensitive accounts that require 2FA every time and I don't mind about it, I feel so much secure to the point it doesn't even matter if I give my password up.

Again, it should be a standard and as such, treated like a standard.
 
  • Like
Reactions: OutlawCecil