Physical Keys are the Secret behind
Google’s protection from Phishing
Phishing is a form of fraud in which an attacker disguises as a reputable entity or person in email or other communication channels. The attacker uses phishing emails to distribute malicious links or attachments that can perform a variety of functions, including the extraction of login credentials or account information from victims. Phishing is simply the practice of stealing sensitive account information by posing as a legitimate entity. Spear phishing is a more targeted version where the attackers go after a specific person or group of people. This is something that Google deals with a lot because its employees have access to a wealth of valuable information.
Idea beyond 2FA
Using two-factor authentication makes it vastly more difficult to break into someone’s account. Logging into an account with two-factor requires something you know (your password) and something you have (usually a single-use code). Previously, Googlers used the Google Authenticator app to generate codes for logging into their accounts. The basic idea behind two-factor authentication is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor. The most common forms of 2FA require the user to supplement a password with a one-time code sent to their mobile device via text message or a Google Authenticator app.
Two-factor authentication is better than using only a password, but it has its own issues. Hackers can use SIM hijacking to acquire the one-time code sent via an SMS. Authenticator apps are more secure but are a hassle. Physical keys solve both these problems at once. There’s no transmitted code to intercept, no phone apps to fumble with, and no numbers to punch in at login. Instead, you pop the Security Key into the device and press a button.
Sturdy Safeguard to face hackers
Google appears to have settled on an extremely robust solution for protecting its own employee’s accounts. Since early 2017 Googlers started using physical Security Keys in place of passwords and one-time codes and from then Google hasn’t experienced any successful phishing attacks. Google revealed the news to Krebs on Security, which reports that Google requires its more than 85,000 employees to secure their accounts with physical security keys. A Google spokesperson said Security Keys now form the basis of all account access at Google.
Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA). However physical security keys and universal 2nd Factor is a process that verifies a login via a USB security key inserted into the device. The security key contains a physical button the user presses to complete the authentication, granting access to the secured account. A password is no longer necessary once the security key has been set up with the account. “We have had no reported or confirmed account takeovers since implementing security keys at Google,” says Google spokesperson.
In contrast, Yubikey’s Security Keys implements a form of multi-factor authentication known as a universal 2nd factor, which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers. Once a device is enrolled for a specific website that supports security keys, the user no longer needs to enter their password at that site unless they try to access the same account from a different device, in which case it will ask the user to insert their key.
Franchise’s choosing this Foremost Tool
Security Keys will remain a tool for early adopters and organizations particularly worried about security. Physical security keys are already supported by a number of companies and products such as Google, Dropbox, and Facebook, Twitter as well as browsers like Google Chrome, Firefox, and Opera. Most major password managers also now support U2F, including Dash lane, KeePass, and Last Pass. Yubico offers some of the most popular options at this time, including the YubiKey, of which options for both desktop and mobile are available. Security keys are coming in at around $20 each, but they’ve been slow to catch on with consumers. It just looks like a physical key but is still your best way of keeping yourself safe.
Author :Ramya Swetha Bandaru
Source : Krebs on Security