Latest in Gear

Image credit: Yubikey

Mandatory keys cut successful phishing attacks on Google to zero

Google hasn't seen a confirmed instance of account takeover since requiring security keys in 2017.
1510 Shares
Share
Tweet
Share
Save

Sponsored Links

Yubikey

Google might have just made itself the biggest example of how security keys can work better than other forms of multi-factor authentication. According to Krebs on Security, ever since the tech giant required over 85,000 of its employees to use physical security keys instead of one-time codes in 2017, it hasn't had a single case of account takeover from phishing. "We have had no reported or confirmed account takeovers since implementing security keys at Google," a company spokesperson said. "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time."

Security keys like the one made by Yubikey give you a way to log into a website simply by plugging it in and pressing a button. You don't even need to type in your password anymore, much less generate a one-time code. While the method has it own weakness, considering it relies on a physical item you can lose, it's considered safer than two-factor authentication, especially the type that sends you codes via SMS. Hackers could intercept messages sent to your device, after all, and gain entry to your account that way.

Unfortunately, Universal 2nd Factor (U2F) -- that's what you call the type of multi-factor authentication that uses physical keys -- support is pretty limited at the moment. You can already depend on it for protection on Chrome, but you'd have to manually activate it on Firefox by going to "about:config" first. Microsoft won't be rolling out U2F compatibility for Edge until later this year, and Apple has yet to reveal whether Safari will ever support the standard. Further, only a few websites and services can use it, including Facebook and password managers such as Keepass and LastPass. It remains to be seen if Google's positive experience with the standard can help it become more widespread, but it's definitely the kind of meaningful testimonial that could give it a massive boost.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
1510 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's Guide to Privacy

Engadget's Guide to Privacy

View
Google Assistant gets new voice options in nine more languages

Google Assistant gets new voice options in nine more languages

View
HP's new ultrawide monitor can show two device's screens at once

HP's new ultrawide monitor can show two device's screens at once

View
HP Elite Dragonfly hands-on: A really light business notebook

HP Elite Dragonfly hands-on: A really light business notebook

View
Chinese retailers abruptly stop selling Juul e-cigarettes

Chinese retailers abruptly stop selling Juul e-cigarettes

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr