The Secret of Google Employees for Never Having Phishing Uses Physical Security Keys



[ad_1]

Image: Wikimedia

If you have been hacked in recent years, there is a good chance that you have been the victim of a perfectly crafted phishing message in your email. Even the most aware individuals can slip, but Google employees would have had an impeccable security record for over a year thanks to a recent policy requiring them to use physical security keys.

Krebs on Security reports that early 2017, Google started requiring its 85,000 employees to use a security key device to handle two-factor authentication when logging into their different accounts. Rather than having a single pbadword, or receiving a secondary SMS access code (or an application such as Google Authenticator), employees had to use a traditional pbadword and plug in a device that was not connected. They owned only. The results were stellar. Excerpt from report:

A Google spokesman said that security keys were the basis of all access to Google. "We have not received any account confirmation since Google set up security keys." "Users may be asked to authenticate using their security key for many different applications / reasons, depending on the sensitivity of the application and the risk of the user at that time. there. "

A Google spokesman confirmed this statement when he was contacted by Gizmodo

. Even successful phishing of a lower-level worker can provide sufficient access to access sensitive systems or provide a starting point for targeting an employee with deeper access. So when Google says that it may have withstood thousands of attacks for a year without any known incident, it is worth paying attention.

You are probably already using two-factor authentication for at least some of your accounts. certainly should. The idea is that an extra step must be taken by anyone trying to access an account. For example, if you simply had to click on this link in your inbox and accidentally transfer your Gmail pbadword to a hacker, you would still need to get the code of an SMS or a text message. authentication application to access your account. Prior to implementing the physical security key requirement, Google employees were using Google Authenticator for this second layer of protection.

Last year, the company went one step further with Universal 2nd Factor Authentication (U2F) via a device like the popular USB YubiKey. Even the text message codes sent to your phone may be hijacked by a specific hacker, but a security key must be physically inserted into the machine you are using. If a hacker really wanted to get into your files, he should get his hands on the device himself.

Until we find a better alternative to pbadwords, U2F is one of the best options to protect yourself. Unfortunately, it is not available everywhere. It just happened to work in Google's Chrome browser, so there is a good PR angle. But it can also be manually configured in Firefox. It can be used for applications such as Facebook and pbadword managers like LastPbad.

Yubico and Feitian are both reliable builders of security equipment, if you want to start using U2F in your everyday life. You can find out more about installing everything here.

[Krebs on Security]

[ad_2]
Source link