Slashdot Mirror

← Back to Stories (view on slashdot.org)

None of Google's 85,000 Employees Have Been Phished in More Than a Year After Company Required Them to Use Physical Security Keys For 2FA (krebsonsecurity.com)

Posted by msmash on from the proving-useful dept.

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity. From the report: Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device). A Google spokesperson said Security Keys now form the basis of all account access at Google. "We have had no reported or confirmed account takeovers since implementing security keys at Google," the spokesperson said. "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time." The basic idea behind two-factor authentication is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor.

3 of 126 comments (clear)

  1. Wow a whole year by Anonymous Coward · · Score: 4, Insightful

    I've never fallen for a phishing email with or without 2fa.

    If Google's getting kudos after a year, I want a goddamned payout.

    1. Re:Wow a whole year by Aighearach · · Score: 3, Insightful

      My wife has never fallen for a phishing email either; she uses two factors. One, she got an email she doesn't understand. Two, she asks me to deal with it.

      Here is the thing, here is why this is huge news for nerds: Google never had to call me and ask. They didn't need to hire 85,000 nerds to protect 85,000 other employees. Their non-nerd employees were able to avoid phishing attacks with this system, on their own.

      And you can have whatever payout you want; I say reward yourself and take yourself outside for an activity.

    2. Re:Wow a whole year by Actually,+I+do+RTFA · · Score: 4, Insightful

      Google has 85,000 employees. For a phishing attack to work, it has to work on the dumbest employee.

      Since this implies that there were successful phishing attacks more than a year ago, congratulations on being better at security than the person in Google who gives the least shits.

      --
      Your ad here. Ask me how!