None of Google's 85,000+ employees have been phished since Google started requiring everyone to use a physical security key to protect their work accounts. Phishing remains one of the most common ways for attackers to trick people - yes, even the tech-savvy ones - into giving up their credentials or installing a malicious file on their computers.
By designing carefully crafted websites or emails, legit-looking fraudulent content is used to make people click on phishing links or give up their passwords. This is how the attack on the DNC ahead of 2016 presidential election was carried out.
How does Google ensure everyone working for it remains secure against phishing attacks
Security experts continue to warn businesses how their employees are their weakest link, unwittingly giving away trade secrets and access to enterprise networks. It appears Google has found a solution.
While people are already recommended to use two-factor authentication where you receive a confirmation code via a text message on your phone, as it is evident this is no longer the most secure way to secure your online presence. With physical keys, you have to have this key on you to be able to access your account. This means that since attackers usually don't have physical access to your devices (if they do, you have a bigger problem to deal with), they can't get into your online accounts either.
“We have had no reported or confirmed account takeovers since implementing security keys at Google,” Google told Brian Krebs. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”
Yubico is the most popular vendor of physical U2F security keys that go for $20. However, if you think this isn't for you, you should still opt for apps like Google Authenticator that create one-time codes for your accounts that are displayed on your phone, since SMS-based 2FA is no longer sufficient to protect your accounts. For businesses, Google is a good model to follow as it has essentially neutralized phishing attacks by investing in physical keys.
