Google has claimed a success in its fight against employee phishing scams, telling reporters that none of its more than 85,000 employees have fallen victim to such a scam since the company deployed its Security Keys program. Reports in Krebs on Security on Monday (July 23) said a spokesperson for Google described its Security Keys initiative as the standard for employees to gain access to devices and accounts.
“We have had no reported or confirmed account takeovers since implementing Security Keys at Google,” the spokesperson told the publication. “Users might be asked to authenticate using their Security Key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”
The device is a two-factor authentication strategy that requires both the physical, USB-based Security Key and a password. Even if a hacker steals a password, they still cannot access an account without the physical Security Key.
Previously, Google employees were using a more common form of two-factor authentication, which required a password and a one-time security code sent to the user’s mobile phone. The enterprise has also traditionally embraced physical tokens that provide single-use codes to supplement passwords when employees access accounts.
The Security Keys program instead uses Universal 2nd Factor (U2F), the report explained, which works without the need for special software drivers. The device is linked to certain websites and apps, leaving the user without the need to enter a password, unless they try to access that platform from a different device.
At present, reports noted, only a few high-profile sites support the Security Keys function, including Facebook and Dropbox. Microsoft has plans to update its Edge browser so it supports U2F later this year, reports said. Apple, meanwhile, has not revealed plans to do the same.
Last year, Google confirmed it had been the target of a business-email compromise scam that resulted in $100 million stolen from targets, which also included Facebook. At the time, Google said it recovered the funds stolen through the scam that targeted its supplier management team.