In brief: We know that multi-factor authentication is an excellent way of protecting yourself from phishing attacks, and its most effective form is security keys. Just ask Google, who has revealed that since requiring all employees to start using the USB keys in early 2017, not a single one of its 85,000+ employees have had their work accounts successfully phished.
“We have had no reported or confirmed account takeovers since implementing security keys at Google,” said the tech giant, in a statement to Krebs on Security.
"Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time."
Security keys replace the more common form of two-factor authentication that relies on sending SMS messages with an included code. The cheap, USB devices require users to insert the key and hit the button when signing in. They’re considered safer than the other types of 2FA, where hackers can intercept the messages sent to a device using techniques such as SIM spoofing.
Anyone who unwittingly handed over their credentials via a phishing email won’t have their accounts breached unless the malicious actors also possess the security keys. The only real security concern comes from the risk of losing them.
Several large sites now support the U2F authentication found in security keys, including Facebook, Dropbox, and GitHub, while password managers such a Dashlane and LastPass can also be configured to support it. In the world of browsers, Chrome supports U2F but it needs to be manually activated on Firefox, and Edge won’t offer support until later in 2018. No word on when or if Safari might adopt it, but expect more companies to come onboard following Google’s praise.