No Google employee has fallen prey to phishing attacks since early 2017, which is when the company started requiring all its workers to use physical security keys.
Physical security keys, which are sold for as low as $20, are inexpensive USB-based devices that may be used to shore up user security. In the case of Google, it appears that investing in these devices is paying off.
Google Physical Security Key Protects Employees Against Phishing
Google told KrebsOnSecurity that none of its over 85,000 employees have been victimized by a phishing attack on their work-related accounts ever since the company started requiring them to use physical security keys in place of the traditional passwords and one-time codes.
"We have had no reported or confirmed account takeovers since implementing security keys at Google," confirmed a spokesperson for Google.
What are security keys? They are inexpensive devices that provide an alternative approach to two-factor authentication, a security model that requires users to input their password and sends another code to their mobile device when logging in to an account.
Phishing attacks come in various forms, but their end goal is to trick users into giving up sensitive information such as log-in details. Two-factor authentication seeks to prevent this, because even if hackers acquire an account's password, they will also need to acquire the second code. Unfortunately, there are already some hacks that are capable of intercepting the codes, which are usually sent through SMS.
The physical security key, however, makes it harder for hackers to acquire that second factor. It authenticates log-ins by being inserted into the computer's USB port, with the user then pressing a button on it. This means that hackers will need to have the security key in their actual possession.
Protection Against Phishing
A study conducted by Google late last year revealed that phishing is the biggest online threat for Google accounts followed by keyloggers and third-party breaches.
There are various ways to protect against phishing, including the simple way of not responding to suspicious emails and signing up for Google's own Advanced Protection program. However, companies may want to think about not only introducing two-factor authentication to their systems but also going the route of physical security keys instead of SMS-based codes.
Yubico's YubiKey Security Key, which is sold for $20, is an example of a device that will provide the necessary additional protection for employees. The initial cost might be a bit steep for companies with a significant number of employees, but there is no price for an impenetrable wall of cybersecurity in this day and age.