How Google Reduced Account Takeovers to Zero (and You Can Too)
Google has more than 85,000 employees around the world, but they haven't suffered from a single takeover of a work-related account since early 2017, according to Kreb on Security. While it had used two-factor authentication in the past for many years, including via its own Google Authenticator app product, the company didn't stop phishing and account takeovers entirely until it adopted physical security keys companywide.
“We have had no reported or confirmed account takeovers since implementing security keys at Google,” said a Google spokesperson to Krebs on Security back in mid-2018. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”
Let's take a look at physical security keys, what makes them so powerful and how you can adopt them in your business to prevent phishing and account takeovers.
Google has more than 85,000 employees around the world, but the introduction of physical security keys has prevented phishing and account takeovers.
Where 2FA Falls Short
Traditional two-factor authentication, or 2FA, involves requesting a text message or using a third-party authenticator app to request a one-time code. Since the code is sent to a mobile device, the thought is that the person that's trying to authenticate must be legitimate — it's unlikely that someone has stolen a smartphone *and* knows a password.
There are several potential vulnerabilities with this approach:
- Phishing attacks - Phishing websites could prompt you to input both a two-factor authentication code and a password in order to bypass the added protection.
- Stolen accounts - You might use a compromised virtual phone number (e.g. Google Voice) that hackers can use to read your two-factor authentication codes at any time.
- SIM swaps - Phone companies might inadvertently provide a SIM card to someone calling and pretending to be you, which effectively gives them your phone number.
While it may not be perfect, it's worth noting that two-factor authentication is vastly superior to only using passwords. Businesses that don't want to adopt physical security keys should still adopt 2FA to dramatically cut down on phishing and account takeovers.
What Are Physical Security Keys?
Physical security keys are USB-based devices that offer an alternative to two-factor authentication known as Universal 2nd Factor, or U2F, authentication.
Download our free Checklist of Authentication Best Practices for Teams to learn how to handle password issues in small business team environments.
The user can log in by simply inserting the USB device and pressing a button on the device — no software or special drivers required! Under the hood, a random number is generated when you first add the key to your account. A secure hash function is used to mix this with the domain name of the website and a secret key from the physical device.
When you try to authenticate, the server generates a random number and the browser passes it to the physical device with the nonce and checksum. The security key generates the private key and challenges the server. The server validates the signature using the public key and successfully authenticates you if everything checks out.
These dynamics convey some important added security benefits, according to Fastmail’s excellent blog post on how USB security keys work:
- The strategy uses the website URL to create the public key, which means that it won't work on phishing websites, where the spoofed domain name won't match.
- The private key is securely stored on the physical device, which means that malware cannot access them. And, a touch is required from the user to start a transaction.
- The server only has a public key, so if it's stolen, the hacker still doesn't have what they need to login to the account, making it much more secure than just a password.
- The server only knows the public key, which is a random number — there's nothing that uniquely identifies each user, which means it protects your privacy.
Google Chrome, Safari and a growing number of software applications support the use of physical security keys, but the technology isn’t universally supported across all browsers and applications. It could take several years, or longer, for everyone to catch up — as it did when two-factor authentication was launched in a big way.
How to Add Them to Your Business
Physical security keys are remarkably easy-to-use compared to conventional two-factor authentication. Rather than opening apps or receiving text messages to authenticate, users can insert a USB key into their laptop or desktop and simply touch it when they wish to authenticate. You can even pair it with a password manager to go completely password-less!
Don't forget to download our free Checklist of Authentication Best Practices for Teams to learn how to handle password issues in small business team environments.
There are a few things to keep in mind when implementing them in your business:
- Support - A growing number of browsers and applications support physical security keys, but we're still a way away from full support. You should consider how many applications are compatible before making the switch.
- Cost - Physical security keys can be costly, so it's important to ensure that there's a sufficient budget allocated to both the purchase of the physical keys and the training necessary to show users how to use them.
- Training - Employees must be trained on how to use physical security keys. After all, they can do more harm than good if employees avoid turning on U2F because they don't know how to use the key and stick to password-only approaches.
It's important to note that authentication is just one piece of the cybersecurity puzzle. For example, many data breaches arise from outdated firmware vulnerabilities or open ports on network servers. Businesses must protect against these threats with a wide range of cybersecurity tools encompassing authentication, secure storage, network protection and more.
The Bottom Line
Google successfully eliminated phishing and account takeovers with the use of physical security keys. In fact, the company even launched its own Advanced Protection product that's powered by physical security keys. You can do the same by adopting physical security keys in your business and training employees on how to effectively use them.
For your other cybersecurity needs, you may want to consider a holistic solution like Jungle Disk. We provide a cybersecurity suite that's designed for small businesses with less than 250 employees with a per employee, per month pricing model. You can access everything from active network protection to secure backups to password management.