Google claims it has completely eliminated successful phishing attacks against its employees through the use of physical security keys and Universal Second Factor.
Google began introducing and evaluating physical security keys in 2014 and by early 2017 all 85,000-plus Google employees were required to use them when accessing company accounts. In the time since, the company told Brian Krebs, no employee has been successfully phished.
A Google spokesperson said the decision to use the Universal Second Factor (U2F) physical security keys instead of software-based one-time-password (OTP) authentication was based on internal testing.
“We believe security keys offer the strongest protections against phishing,” a Google spokesperson wrote via email. “We did a two-year study that showed that OTP-based authentication had an average failure rate of 3%, and with U2F security keys, we experienced zero percent failure.”
Lane Thames, senior security researcher at Tripwire, based in Portland, Ore., said the main reason these software-based apps are less secure is “because attackers can potentially intercept these OTPs remotely.”
“Another issue is the bulk production of OTPs that users can store locally or even print. This is done in order to make the 2FA [two-factor authentication] process a little easier for end users or so end users can save OTPs for later use, if they don’t have access to their phones when the code is needed,” Thames wrote via email. “This is akin to a similar problem where users write passwords and leave them around their workspace.”
However, John Callahan, CTO at Veridium, an identity and access management software vendor based in Quincy, Mass., noted that there are also benefits to users opting for 2FA via smartphone.
“Some people who use a U2F key fear losing it or damaging it. This is where biometrics can play a key role. Methods using biometrics are helping to prevent attacks,” Callahan wrote via email. “Using biometrics with the Google Authenticator app is a secure solution, because a mobile phone is always nearby to authenticate a transaction.”
Moving companies to physical security keys
Physical security keys implementing U2F was the core part of Google’s Advanced Protection Program, which it rolled out as a way for high-risk users to protect their Google accounts. A physical security key, like a YubiKey, can authenticate a user simply by inserting the key into a computer, tapping it against an NFC-capable smartphone or connecting to an iOS device via Bluetooth.
Nadav Avital, threat research manager at Imperva, based in Redwood Shores, Calif., said, “in an ideal world,” more companies would require multifactor authentication (MFA).
Nadav Avitalthreat research manager at Imperva
“In general, physical keys offer better security, because software-based authentication relies on a shared secret between the client and the provider that can be discovered. Unfortunately, most people don’t use [2FA or MFA], neither physical nor software-based, because they don’t understand the implications or because they prefer simplicity over security,” Avital wrote via email. “Clients can suffer from fraud, data theft or identity theft, while the company can suffer from reputation damage, financial damage from potential lawsuits and more.”
Richard Ford, chief scientist at Forcepoint, a cybersecurity company based in Austin, Texas, said worrying about the best way to implement 2FA might be premature, as “we still have oodles of companies still using simple usernames and password.”
“Getting off that simple combo to something more secure provides an immediate plus up for security. Look at your risk profile, and try and peer a little into the future,” Ford said. “Remember, what you plan today won’t be reality for a while, so you want to skate to where the puck is going. With that said, please don’t let perfect be the enemy of good.”
Petitioning the board
Experts noted that not all IT teams will have as easy a time convincing the board to invest in making physical security keys or another form of multifactor authentication a requirement as Google would.
Matthew Gardiner, cybersecurity expert at Mimecast, a web and email security company based in Lexington, Mass., suggested framing the issue in terms of risk reduction.
“It is hard to quantify risk unless you have experienced a recent breach. Using MFA is not a theoretical idea; it is now a security best practice that is incredibly cheap and easy to use from a multitude vendors and cloud service providers,” Gardiner wrote via email. “I can only assume that if organizations are still only using a single-factor of authentication in support of B-to-B or B-to-E applications that they must think they have nothing of value to attackers.”
Ford said it was probably best not to spear phish the board for effect, “no matter how tempting that might be.”
“I would, however, suggest that the Google data itself can be of tremendous value. Boards understand risk in the scope of the business, and I think there’s plenty of data now out there to support the investment in more sophisticated authentication mechanisms,” Ford wrote. “Start with a discussion around Google and their recent successes in this space, and also have a reasoned — and money-based — discussion about the data you have at risk. If you arm the board with the right data points, they will very likely make the right decision.”