- Google says a security key that it developed helped kill all successful account takeovers by phishing at the company.
- The company now offers the keys to cloud customers and expects to sell them on the Google store soon.
Google will soon begin selling a plug-in security key meant to help replace using only passwords for logging into computers, an effective solution to the pervasive problem of phishing attacks, according to the company.
The key, which resembles a USB memory stick, plugs into your computer's USB port and bypasses the process of typing in your passwords. In addition to your password, the device provides a unique encryption key for you and your device. If someone else, say a criminal who bought stolen passwords from the dark web, doesn't have it, that person can't access your information.
Google did not announce pricing for the device, but similar gadgets sell for at least $20.
Google has been using the security keys internally in conjunction with password logins for all of its employees, a spokesperson said. The result has been a total falloff in account takeovers from phishing, or the practice of tricking someone into giving their password away via a link that looks legitimate.
"We have had no reported or confirmed account takeovers since implementing [the] security keys," the spokesperson said.
That's a compelling use case, as companies are trying to find a cure for an epidemic of successful, fraudulent phishing attacks by email.
Those scam emails include those that upended the Democratic National Committee in the 2016 elections, rely on the ability of attackers to grab password credentials and misuse them, a process rendered moot when the victim has a physical, second method of authentication in hand. More than 80 percent of data breaches are a result of stolen or weak passwords, and phishing was present in 43 percent of all data breaches, according to a study by Verizon.
The security key acts as a different form of two-factor authentication when logging in to a device or service. Other methods of two-factor authentication include receiving a security code on a mobile device or using a biometric identifier, like a fingerprint. Those two methods have seen some pushback because of the added time to the login process or privacy concerns related to biometrics.
Google developed the keys in conjunction with the FIDO (Fast Identity Online) alliance, an industry consortium that focuses on creating better login alternatives, according to the company.
The key fob is now available for cloud customers directly but will be available for the general public "soon" via Google's online store.