While phishing attacks continue to jeopardize today’s organizations (a reported 76% of organizations experienced phishing attacks in 2017), it was refreshing to hear that tech giant Google has apparently eliminated phishing by giving security keys to all of its 85,000 employees.
"We have had no reported or confirmed account takeovers since implementing security keys at Google," a company spokesperson told Krebs on Security last week. "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time."
This is all timely news as Reddit.com just disclosed yesterday it suffered a security breach earlier in June, exposing internal data to attackers and reinforcing why relying on mobile text messages (SMS) for two factor authentication gives companies a false sense of security. It also should serve as a wake-up call to anyone who hasn’t moved beyond this method.
Secure 2FA involves the use of hardware based security keys
Although Google’s feat is quite impressive, security keys are not new and just another form of multi-factor authentication (MFA), allowing the user to complete the login process simply by inserting a USB device and pressing it.
The key works without the need for any special software drivers. Popular manufacturers of these types of devices, such as Yubico, have seen tremendous growth over the last few years due to this rapid adoption.
At Centrify, we’ve been touting MFA Everywhere for years as a critical component of our Identity & Access Management portfolio. Along the way, we’ve consistently added support for more use cases, including integration with security key vendors such as Yubico to leverage multiple authentication protocols including FIDO U2F.
Our core principles have consistently remained the same. It is only with a platform-based approach to MFA that you can fully protect businesses across users and resources. Whether it be MFA to VPNs, cloud and on-premises apps, mobile devices, server and workstation operating systems, or integrating MFA into privileged access management capabilities such as checking out enterprise passwords and executing privileged commands, Centrify’s differentiation comes from providing user verification via MFA across all user types. This includes an administrator or end user logging in as themselves and elevating privilege, or an IT admin checking out the password for a shared account.
One of the simplest, yet most powerful, ways to confirm identity is to leverage MFA. Not only can you reduce your attack surface, but you are enabling IT organizations to adopt a Zero Trust Security model by requiring a higher level of identity assurance