For more than a year, none of Google’s over 85,000 employees have been hacked, thanks to physical security keys that have replaced one-time codes at their workplace.
Security Keys are USB-based devices that offer an alternative approach to two-factor authentication (2FA).
In 2FA, users log into a website using a password and then enter an additional one-time code usually sent to smartphones. In Google’s case, the one-time password was sent via an in-house app called Google Authenticator.
A Google representative told Krebs on Security that physical security keys are now being used for all work-related account access since early 2017.
“We have had no reported or confirmed account takeovers since implementing security keys at Google,” the representative was quoted as saying.
“Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time,” the Google representative added.
A physical security key uses a version of multi-factor authentication called Universal 2nd Factor (U2F). U2F lets users login by inserting the USB device and pushing a button on it.
“After the device is linked to a certain website, users don’t have to enter their passwords anymore,” CNET reported.
More platforms like Dropbox, Facebook and Github are now using U2F which is an emerging open source authentication standard. It’s supported by browsers including Chrome, Firefox and Opera.
Microsoft is also reportedly updating its Edge browser to support U2F later this year.
Yubico is one physical security key maker which sells a basic U2F key for $20.