Google Fights Phishing Scams using USB Key
Google says it's suffered zero phishing attacks since it started making staff use a physical key to log in to work accounts. Of course, it's possible it's been hit with attacks it doesn't know about.
The measures were taken to prevent against phishing attacks in which scammers try to trick victims into following a link and opening a bogus website that appears to be from a legitimate organization. The idea is that they then type in login details which the scammers can use to access their account on the real website.
This can be particularly problematic with business accounts that may house emails or messages with confidential information. Big businesses with a lot of employees can offer scammers numerous ways in, providing the scam is successful.
Two-Factor Authentication In Use
The Google security measure is an example of two-factor authentication. That refers to a security check that requires two different ways to prove identity, often described as "something you have and something you know." Usually this means knowing a password and having access to a physical item such as a cellphone.
Many online services trigger two factor authentication when somebody attempts to login from an unfamiliar device or location, rather than using it every time somebody accesses an account. This setup aims to balance convenience and security.
Google previously used cellphone text messages with security codes for two factor authentication for its employees when they accessed work accounts. However, last year it decided all staff must use a physical security key.
Key Not Always Required
The key is a tiny device that plugs into a USB socket. Users logging into their account must type in their password, then plug the key in and press a button. The idea is that this is convenient enough that it can be used more regularly. The theory is that a scammer who got hold of an employee password couldn't use it without the key, while somebody who stole or found the key couldn't use it without the password. (Source: businessinsider.com)
Google staff don't currently have to use the key for every login. The company told security blogger Brian Krebs that "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time." (Source: krebsonsecurity.com)
What's Your Opinion?
Have you used two-factor authentication? Would you be happy to use a security key to log in to a work account? Could such a set-up lead to people becoming complacent about security?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
Dongle
I can remember when software came with a dongle. Dongles were attached to the PC parallel port of the IBM PC via the DB-25 Centronics plug to prevent unauthorized use of proprietary software.
Currently they are available using USB and Bluetooth. I would use one for two-factor authentication but I can see where many would be required. If a company like Google provided a service that only required one per PC, I might consider that even though I do not completely trust Google to protect my privacy.
two factor is not safe
two factor as often done is totally insecure
using a dongle is a good idea if security is necessary
but
sending something to a cell phone that could have been diverted is incredibly stupid
better to tell them to call a magic number and then enter their alternate password if you must use a phone with 2FS
Two factor
Years ago when my son worked at HP he had what looked like a thick credit card. As I remember it it contained a very accurate clock. It displayed a constantly changing number. Check Synchronous dynamic password token.
Worked well but it was specific to HP. Probably wouldn't work so well as consumer device.