Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Tuesday July 24 2018, @12:37PM   Printer-friendly
from the upcoming-optimization:-put-the-physical-keys-in-the-cloud dept.

Google: Security Keys Neutralized Employee Phishing

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity.

Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device).

A Google spokesperson said Security Keys now form the basis of all account access at Google.

"We have had no reported or confirmed account takeovers since implementing security keys at Google," the spokesperson said. "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by JoeMerchant on Tuesday July 24 2018, @06:49PM (2 children)

    by JoeMerchant (3937) on Tuesday July 24 2018, @06:49PM (#711824)

    IDK what they are using, but the USB key I selected to carry in my access badge has a full metal jacket with an integral metal hoop that I use to attach it the same string my access badge is on.

    USB keys can be pretty solid, and if they go RFID that gets rid of the socket wearing out / water intrusion issues.

    Any kind of security key needs a procedure in place to revoke and/or replace it - physical security keys are no exception. If their IT department is on the ball, you should be able to show up at a desk, sign something in blood, and get a fresh key issued and have your lost one invalidated right then, right there.

    What would suck would be to lose your key in a public place far from the key replacement desk - maybe they have phone-in invalidation, like credit cards do.

    --
    🌻🌻 [google.com]
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2) by Freeman on Tuesday July 24 2018, @11:10PM (1 child)

    by Freeman (732) on Tuesday July 24 2018, @11:10PM (#712012) Journal

    'cause RFID screams secure.

    --
    Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
    • (Score: 3, Interesting) by JoeMerchant on Wednesday July 25 2018, @11:33AM

      by JoeMerchant (3937) on Wednesday July 25 2018, @11:33AM (#712267)

      There's all kinds of RFID - controlled distance NFC, cases that require metal to metal contact for the RF signal to be strong enough (but still not a plug and socket like USB to wear out), etc.

      I suspect they went USB to take advantage of all the already built-in readers in consumer gear.

      --
      🌻🌻 [google.com]