Google Fights Phishing Scams using USB Key

John Lister's picture

Google says it's suffered zero phishing attacks since it started making staff use a physical key to log in to work accounts. Of course, it's possible it's been hit with attacks it doesn't know about.

The measures were taken to prevent against phishing attacks in which scammers try to trick victims into following a link and opening a bogus website that appears to be from a legitimate organization. The idea is that they then type in login details which the scammers can use to access their account on the real website.

This can be particularly problematic with business accounts that may house emails or messages with confidential information. Big businesses with a lot of employees can offer scammers numerous ways in, providing the scam is successful.

Two-Factor Authentication In Use

The Google security measure is an example of two-factor authentication. That refers to a security check that requires two different ways to prove identity, often described as "something you have and something you know." Usually this means knowing a password and having access to a physical item such as a cellphone.

Many online services trigger two factor authentication when somebody attempts to login from an unfamiliar device or location, rather than using it every time somebody accesses an account. This setup aims to balance convenience and security.

Google previously used cellphone text messages with security codes for two factor authentication for its employees when they accessed work accounts. However, last year it decided all staff must use a physical security key.

Key Not Always Required

The key is a tiny device that plugs into a USB socket. Users logging into their account must type in their password, then plug the key in and press a button. The idea is that this is convenient enough that it can be used more regularly. The theory is that a scammer who got hold of an employee password couldn't use it without the key, while somebody who stole or found the key couldn't use it without the password. (Source: businessinsider.com)

Google staff don't currently have to use the key for every login. The company told security blogger Brian Krebs that "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time." (Source: krebsonsecurity.com)

What's Your Opinion?

Have you used two-factor authentication? Would you be happy to use a security key to log in to a work account? Could such a set-up lead to people becoming complacent about security?

Rate this article: 
Average: 5 (3 votes)

Comments

LouisianaJoe's picture

I can remember when software came with a dongle. Dongles were attached to the PC parallel port of the IBM PC via the DB-25 Centronics plug to prevent unauthorized use of proprietary software.

Currently they are available using USB and Bluetooth. I would use one for two-factor authentication but I can see where many would be required. If a company like Google provided a service that only required one per PC, I might consider that even though I do not completely trust Google to protect my privacy.

sixer_8349's picture

two factor as often done is totally insecure

using a dongle is a good idea if security is necessary
but
sending something to a cell phone that could have been diverted is incredibly stupid
better to tell them to call a magic number and then enter their alternate password if you must use a phone with 2FS

sytruck_8413's picture

Years ago when my son worked at HP he had what looked like a thick credit card. As I remember it it contained a very accurate clock. It displayed a constantly changing number. Check Synchronous dynamic password token.

Worked well but it was specific to HP. Probably wouldn't work so well as consumer device.