If you have been hacked in recent years, chances are you like this perfectly crafted phishing message in your email. Even the most mind-boggling people can freak out, but Google's employees have reportedly set an impeccable safety record for more than a year as they recently needed physical security keys.
Krebs on Security reports that in early 201
A Google spokesman said that the security keys now form the basis for all account accesses to Google.
"There have been no reported or confirmed account takeovers since implementing the security keys on Google," the spokesman said. "Users may be asked to authenticate with their security key for many different apps / reasons, all depending on the sensitivity of the app and the user's risk at that point in time."
A Google spokesperson affirmed this statement as he was reached by Gizmodo.
Obviously, Google employees are a major target for hackers. Even a successful phishing attack on a low-level employee can provide just enough access to invade sensitive systems or create a jump point to target an employee with deeper access. So, if Google says it may have weathered thousands of attacks over a year without any known incident, it's worth working up and taking care of.
You probably already use two-factor authentication for at least some of your accounts, and if not you certainly should. The idea is that anyone who tries to access an account needs to take an extra step. For example, if you simply clicked on this dodgy link in your inbox and accidentally passed your Gmail password to a hacker, you'll need to retrieve the code from a text message or Authenticator app to get into your account. Before implementing the physical security key request, Google employees used the Google Authenticator for this second level of protection.
Last year, the company took Universal 2nd Factor Authentication (U2F) a step further with a device like the popular USB YubiKey. Even the SMS codes sent to your phone can be stolen by a specific hacker, but a security key must be physically inserted into the device you are using. If a hacker really wanted to get into your files, they would have to get their hands on the device themselves.
Until we find a better alternative to passwords, U2F is one of the best ways to protect yourself. Unfortunately, it is not available everywhere. It only works in Google's Chrome browser, so there's a good PR angle. It can also be configured manually in Firefox. It can also be used for apps like Facebook and password managers like LastPass.
Yubico and Feitian are both trusted security key hardware manufacturers if you want to leverage U2F in your daily life. You can read more about how to setup everything here.
[Krebs on Security]