Google hasn’t suffered an employee phishing compromise in over a year

Phishing attackers have failed to compromise a single employee account at Google since the company mandated authentication using U2F hardware tokens in early 2017.

That’s the remarkable claim made to security writer Brian Krebs, who received the following statement on the topic from a company spokesperson:

We have had no reported or confirmed account takeovers since implementing security keys at Google.

Given that Google has 85,050 employees, all of whom would be prized targets for phishing attacks, this is a remarkable advert for tokens, which reports suggest are Yubico’s Universal 2nd Factor (U2F) Yubikey.

This doesn’t rule out the possibility that phishing attackers have been able to steal employee credentials, simply that they haven’t been able to overcome the extra layer provided by token security to take control of an account.

Naked Security has discussed U2F tokens before, the basic principle of which is that users must authenticate themselves to their account using a username, a password, but also by plugging in a token that is individual to each user.

This is what is meant by old-school two-factor authentication – users authenticate themselves with something they know (their password) and something they have (their token).

Google has long recommended consumers use this kind of security when accessing its services, even offering a special type of Advanced Protection Program (APP) account for users who think they might be at high risk of attack in which U2F keys are mandatory. Tokens can also be used to add security to a growing number of other sites, including Dropbox, Facebook, and all major password managers.

Google’s statement to Krebs hinted at other security layers:

Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.

This appears to be a reference to the fact that Google’s systems can ask employees to present their keys in a number of contexts and not only when logging on to email when they start work. It’s a secondary trend in which regular re-authentication slows attackers who do somehow compromise an account.

Is the future U2F?

If U2F tokens are such an effective way to boost security, why do so few people beyond Google use them?

One would expect Google to be a big advocate as it was one of the founding backers of the FIDO Alliance under whose auspices the U2F standard was developed.

And Google has a good reason to persevere with U2F tokens in the form of another emerging standard called WebAuthn under which passwords will be consigned to history in favour of strong authentication.

Sadly, although the enthusiasm for U2F has spread to some other big companies, Google admits the same can’t be said for its its own users, most of whom have failed to turn on two-step verification in any form.