Far more than a “Token” security gesture

Google’s new mandatory security keys cut successful phishing attacks to zero

The ever-present threat of IT security risks has for many remained an ongoing battle: keeping up with nefarious groups that continually try to infiltrate organizations, often resulting in a two-steps-forward, one-step-back scenario. It seems that for every advancement IT security makes, the bad guys almost immediately figure out a way past it … until now.

With the news that hit the airwaves this week, it will be interesting to see how Google measures up to the world of bad guys with the introduction of its new mandatory security keys. For now, Google just might be the single greatest shining example of what to do to combat security threats and how physical security keys can work far better than approaches such as multi-factor authentication.

The new approach began in 2017 when the internet giant ushered in the new era of mandating that its 85,000+ employees carry the Universal 2nd Factor (U2F) physical keys and stop using the older method of the one-time-code approach. The astonishing and telling part of this new practice is that it has seemingly thwarted 100% of phishing attacks—meaning ZERO threats have infiltrated their company with no accounts being taken over.

So, why such fantastic results from such a small device? Simply put, the key is on your person. In more traditional multi-factor authentication practices, hackers are able to intercept and access SMS messages sent to mobile devices, giving them the ability to access private accounts. However, in the case of physical keys that type of vulnerability is removed. Now, of course, like any key that sits in your pocket or bag, there is always the fear of losing it—but in those cases, the device can be digitally rendered null and void.

The added bonus to these devices, beyond the security aspects, is its ease-of-use. Gone are the days of the arduous task of entering a password or generating a code (note my tone of comical sarcasm). But all joking aside, the fact that simply plugging in a key to an available port (or by Bluetooth via mobile device) and pressing a button does come with its advantages—IT security has, in part, always been an exercise in winning the hearts and minds of the masses. In this case, easier means faster adoption.

So where does this leave the masses? Currently, there isn’t much out there for people to really leverage outside of Google Chrome; however, this could change very quickly. Already, sites such as Facebook, along with secure password managers including LastPass and KeePass, are U2F compatible. And Microsoft has announced that U2F for Edge will be introduced later this year. This leaves the big players such as Apple’s Safari and Firefox to jump into the mix.

Like any new technology there will always be the early adopters to push the limits. And, of course, with the news of a zero percent penetration rate I’m more than sure that hackers are working diligently to once again get ahead of the curve. But with such a high success rate amongst such a large number of users, the use case for the technology has experienced a massive proof point.

And though only time will tell if this is truly the future of security, it does show that we may collectively be on the right track to finally limiting attacks and securing our future.