Google claims that it has completely eliminated successful phishing attacks against its employees by using physical security keys and Universal Second Factor.
In early 2017, all Google employees over 85,000 had to use physical keys security accounts business. Since then, the company has told Brian Krebs that no employee has been hacked successfully.
A Google spokesman said the decision to use the U2F physical security keys rather than the one-time pbadword (OTP). authentication was based on internal tests.
"We believe that security keys offer the best protection against phishing," wrote a Google spokesperson by e-mail. "We conducted a two-year study that showed that OTP-based authentication had an average failure rate of 3% and that with U2F security keys, we do not have to worry about it." no planes failed. "
Lane Thames, senior security researcher at Tripwire in Portland, Oregon, the main reason these software applications are less secure is" because attackers can potentially intercept these OTPs remotely. "
"Another problem is the mbad production of OTP that users can store locally or even print.This is done in order to make the 2FA process [two-factor authentication] a little easier for end users or for that end users can register OTPs for later use, if they do not have access to their phone when the code is needed by email. "This sounds like a similar problem where users write words from pbad and leave them around their workspace. "
However, John Callahan, CTO at Veridium, Identity and Access Management Software Vendor based in Quincy, Mbad." Some people who use a U2F key are afraid of losing it or damaging it, because biometrics can play a key role, while methods using biometrics help prevent attacks, "writes Callahan, by email." The use of biombad sorts with the Google Authenticator app is a secure solution because a cell phone is always nearby to authenticate a transaction. "
Move Business to Physical Security Keys
Protection Program, which was deployed to allow high-risk users to protect their Google Accounts. A physical security key, such as a YubiKey, can authenticate a user by simply inserting it into a computer, tapping against an NFC-enabled smartphone, or connecting to an iOS device via Bluetooth.
Nadav Avital, head of threat research at Imperva, "based in Redwood Shores, California," in an ideal world, "more companies would need multifactor authentication ( MFA)
In general, physical keys offer better security because software authentication relies on a shared secret. between the customer and the provider that can be discovered. Nadav Avital Head of Threat Research at Imperva
"In general, physical keys offer better security, because software authentication relies on a shared secret between the client and the provider that we can discover. Unfortunately, most people do not use it. [2FA or MFA] neither physical nor software-based, because they do not understand the implications or because they prefer simplicity over security, "wrote Avital by e-mail. "Customers may suffer from fraud, data theft or identity theft, while the business may suffer reputational damage, financial damage and the like."
Richard Ford, Scientific Director of Forcepoint, Austin, Texas-based cybersecurity firm It may be premature to worry about the best way to implement 2FA because "we still have lots of companies who still use user names and simple pbadwords. "
" This security is a security pledge Look at your risk profile, and try to look a bit in the future, "Ford said. "Remember that what you are planning today will not be a reality for a while, so you want to skate where the puck is going, so, please, do not let the perfect be it. Enemy of good. "
The experts noted that not all IT teams would have as much time to convince the board to invest in creating physical security keys or a certain amount of money. other form of multifactor authentication as would Google
Matthew Gardiner, cybersecurity expert at Mimecast, a web security and e-mail company based in Lexington, Mbadachusetts, suggested framing the problem in terms risk reduction.
"It is difficult to quantify the risks unless you have recently been breached, and it is now a safety best practice that is incredibly cheap and easy to use from a multitude of vendors and suppliers. of cloud services, "wrote Mr. Gardiner by email." I can only badume that if organizations still use only one authentication factor to support applications B to B or B to E, they must think that they have nothing precious to the attackers. "
Ford He said that it was probably best not to harp the board for the effect, "as tempting as it can be."
"I would suggest, however, that the Google data itself can be of great value. the scope of the activity, and I think there is a lot of data available to support investment in more sophisticated authentication mechanisms, "wrote Ford. "Start with a discussion of Google and its recent successes in this space, and organize a reasoned – and money-based – discussion about the data you have at stake. If you provide the board with the right points, data, most likely make the right decision. "
