Google makes a solid case for use of physical security keys instead of SMS-based Two-Factor Authentication

A report has found that none of Google's 89,000+ employees have suffered a Phishing attack in 10 months thanks to the use of physical U2F keys to access official Google accounts, instead of SMS-based two-factor authentication.

Published Date
25 - Jul - 2018
| Last Updated
25 - Jul - 2018
 
Google makes a solid case for use of physical security keys inste...

Google’s 89,000+ employees have not suffered a Phishing attack on their official Google accounts since 2017, when the company first implemented Two-Factor Authentication using physical security keys. Physical or hardware security keys, popularly known as U2F keys (Universal 2nd Factor), come in the form of USB dongles that can be inserted at the time of login to authenticate an account. According to a report by Krebs on Security, work accounts of Google employees have not been subject to phishing attacks in the past 10 months thanks to all of them switching to a physical security key and ditching SMS-based two-factor (2FA) authentication.

Commenting on the report, a Google spokesperson said, “We have had no reported or confirmed account takeovers since implementing security keys at Google.” “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time,” the person added.

Google introduced 2FA using hardware security keys through its Advanced Protection Programme in October last year. If a users is enrolled to use a U2F key, other forms of authentication like SMS, OTP, and even the Google Authenticator app are disabled.

Currently, Firefox, Chrome, and Opera browsers supports physical security keys to provide access to services like Gmail, Google Photos, GitHub, Facebook, and other. Once a device is enrolled for a specific website that supports security keys, users no longer needs to enter their password on that site (unless they try to access the same account from a different device, in which case it will ask the user to insert their key).

Here is how you can use a U2F key to access your Google account. You can also head here to check if a website support U2F keys. Note that you will have to purchase a security key in order to access this service. Physical security keys are easily available online and cost anywhere between Rs 1,500 - Rs 10,000, depending on the type of key (Only USB or USB and Bluetooth/Wi-Fi) you purchase.

A recent report on SIM hacking to bypass Instagram’s SMS-based 2FA made it clear just how easy it is to get by the ageing authentication mechanism. Instagram, too, is testing other app-based authentication methods to enhance security on the platform. Physical security keys are the need of the hour as it is increasingly becoming common for hackers to gain access to users’ accounts by impersonating the users and pretending they have been locked out of their accounts.

Adamya SharmaAdamya Sharma

Managing editor, Digit.in - News Junkie, Movie Buff, Tech Whizz!