For the last year-and-a-half Google has prevented the successful execution of phishing attacks against its employees by simply introducing a key, a Google spokesperson told KrebsOnSecurity.
Introduced in 2017, the company rolled out physical Security Keys to its 85,000 employees, requiring the USB devices instead of two-factor authentication, according to KrebsOnSecurity. Since their introduction, Google has had "no reported or confirmed account takeovers," the spokesperson told KrebsOnSecurity.
With a key, users can simply login to applications or portals without entering a password, according to KrebsOnSecurity. All they have to do, instead, is plug in the Security Key and press a button. Once a device is accustomed to a key, passwords are no longer required, unless a user is trying to log in on a new device.
Google introduced a relatively simple solution to a problem that has plagued organizations for years. Rather than verifying account credentials online, the company gave employees a physical device for access.
Changing credentials and introducing physical access — whether that's through a key or GPS location — is part of an emerging shift in identity and access management.
Phishing schemes have become more advanced and malicious. Schemes mimicking authentic emails requesting wire transfers can con organizations out of millions of dollars. And even more malicious attacks gain access to an employees login credentials and can, from there, spread ransomware in corporate systems.
Some enterprising cybercriminals were even taking advantage of the privacy craze prior to GDPR's deadline and launched phishing emails against unsuspecting users.
In response, organizations have attempted to boost credential security, making password requirements longer with more frequent expirations, to the frustration of many users.
The technology sector is trying to shift away from passwords altogether. The current standard for password etiquette is giving way to biometrics and behavioral insights. Step-up authentication is also becoming en vogue as companies require additional authentication procedures if a user's behavior is out of the norm.