Google Employees' Secret to Never Getting Phished Is Using Physical Security Keys

We may earn a commission from links on this page.

If you’ve been hacked in recent years, odds are you fell for that perfectly crafted phishing message in your email. Even the most mindful individuals can slip up, but Google’s employees have reportedly had a flawless security record for more than a year thanks to a recent policy requiring them to use physical security keys.

Krebs on Security reports that in early 2017, Google started requiring its 85,000 employees to use a security key device to handle two-factor authentication when logging into their various accounts. Rather than just having a single password, or receiving a secondary access code via text message (or an app such as Google Authenticator), the employees had to use a traditional password as well as plug in a device that only they possessed. The results were stellar. From the report:

A Google spokesperson said Security Keys now form the basis of all account access at Google.

“We have had no reported or confirmed account takeovers since implementing security keys at Google,” the spokesperson said. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”


A Google spokesperson confirmed that statement when reached by Gizmodo.

Obviously, Google employees are a prime target for hackers. Even successfully phishing a low-level worker can provide just enough access to get into sensitive systems or provide a jumping off point to target an employee with deeper access. So, when Google says it weathered perhaps thousands of attacks over a year without any known incident, it’s worth perking up and paying attention.


You probably already use two-factor authentication for at least some of your accounts, and if not you certainly should. The idea is that an extra step has to be taken by anyone trying to access an account. For example, if you just had to click that shady link in your inbox and accidentally handed over your Gmail password to a hacker, they’d still need to get the code from a text message or authenticator app to get in to your account. Before implementing the physical security key requirement, Google employees used Google Authenticator for that second layer of protection.

Last year, the company took things a step further with Universal 2nd Factor Authentication (U2F) via a device like the popular USB YubiKey. Even those text message codes sent to your phone can be hijacked by a determined hacker, but a Security Key has to be physically inserted into the machine you’re using. If a hacker really wanted to get into your files, they’d have to get their hands on the device itself.


Until we figure out a better alternative to passwords, U2F is one of the best options to protect yourself. Unfortunately, it isn’t available everywhere. It just so happens to work in Google’s Chrome browser, so there’s the good PR angle. But it can also be manually configured in Firefox. It can be used for apps like Facebook and password managers like LastPass, as well.

Yubico and Feitian are both trusted manufacturers of security key hardware if you’re looking to start using U2F in your day-to-day life. You can read more about getting everything set up right here.


[Krebs on Security]