Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Tuesday July 24 2018, @12:37PM   Printer-friendly
from the upcoming-optimization:-put-the-physical-keys-in-the-cloud dept.

Google: Security Keys Neutralized Employee Phishing

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity.

Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device).

A Google spokesperson said Security Keys now form the basis of all account access at Google.

"We have had no reported or confirmed account takeovers since implementing security keys at Google," the spokesperson said. "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Interesting) by bradley13 on Tuesday July 24 2018, @01:29PM (3 children)

    by bradley13 (3053) on Tuesday July 24 2018, @01:29PM (#711706) Homepage Journal

    I recently got a Yubikey (from Ars) to play around with. I've not looked into how the thing actually works, but purely from a user perspective, there seems to be a problem with browser dependencies, or perhaps browser version dependencies. I often have to switch browsers to get into a particular site. I've been too lazy to document exactly what works, and what doesn't, but there's really no reason for any vaguely recent, mainstream browser not to work.

    This is something that seems to crop up more and more lately: websites that work differently, or not at all, with particular browsers. Reminds me of the bad-old-days with IE6...

    --
    Everyone is somebody else's weirdo.
    Starting Score:    1  point
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 2) by opinionated_science on Tuesday July 24 2018, @02:02PM

    by opinionated_science (4031) on Tuesday July 24 2018, @02:02PM (#711723)

    In general, UN*X has had OTP for decades, so TFA is simply an extension.

    "RSA Key" has been around a good while - they got hacked once, though I'm not sure how much that affected them.

    Yubikey is probably as good as you can get on the domestic market.

    I believe YK works via the keyboard input - well behaved on Linux, MacOsx.

    I know nothing about Winsoze....

    Anybody else?

  • (Score: 2, Interesting) by Anonymous Coward on Tuesday July 24 2018, @03:14PM (1 child)

    by Anonymous Coward on Tuesday July 24 2018, @03:14PM (#711745)

    I as going to point out the hypocrisy with Google here, they're using hardware keys, but they purposefully prevent Firefox from accessing Gmail via a yubikey even though they support it on Chrome and Firefox supports Yubikey out of the box.