Google began mandating security keys to employees in early 2017. The change reportedly cut successful phishing attacks on its more than 85,000 employees to zero.
The company told Krebs on Security that it has had “no reported or confirmed account takeovers since implementing security keys.”
Security key devices connect via USB and allows users to login by simply pressing a button on the key. They use Universal Second Factor authentication (U2F).
Unlike traditional Two Factor Authentication (2FA), which supplement a password with a one-time code sent to a mobile device via text message or app, U2F devices simply plug in. Furthermore, U2F is much more secure, since attackers can intercept 2FA codes.
The downside with U2F security keys is that you need the physical key to login. Furthermore, U2F is a rather new technology. As such, there isn’t much support for it on the web yet.
Google Chrome, Firefox and Opera all support U2F. However in Firefox, both Quantum and older versions, require users to enable U2F. To do so, simply type “about:config” in the browser bar and search for “security.webauth.u2f.”
Microsoft is planning to add U2F support to Edge later this year. However, Apple hasn’t said whether it will support the standard in Safari.
As far as websites go, a handful of big sites have support. Naturally, Google’s services support U2F. So does Dropbox, Facebook and Github. Furthermore, Dashlane and Keepass password managers support U2F.
Yubico, one of the more popular manufacturers of U2F security keys has a number of options available, at a number of retailers. Canadians can pick up a Yubico security key for as low as $26 on Amazon. Additionally, the devices are waterproof and crush proof.
Security keys could be a fantastic way to secure yourself online. The devices clearly work well for Google. Hopefully that pushes more companies to adopt security keys.