Phishing attackers have failed to compromise a single employee account at Google since the company mandated authentication using U2F hardware tokens in early 2017.
That’s the remarkable claim made to security writer Brian Krebs, who received the following statement on the topic from a company spokesperson:
We have had no reported or confirmed account takeovers since implementing security keys at Google.
Given that Google has 85,050 employees, all of whom would be prized targets for phishing attacks, this is a remarkable advert for tokens, which reports suggest are Yubico’s Universal 2nd Factor (U2F) Yubikey.
This doesn’t rule out the possibility that phishing attackers have been able to steal employee credentials, simply that they haven’t been able to overcome the extra layer provided by token security to take control of an account.
Naked Security has discussed U2F tokens before, the basic principle of which is that users must authenticate themselves to their account using a username, a password, but also by plugging in a token that is individual to each user.
This is what is meant by old-school two-factor authentication – users authenticate themselves with something they know (their password) and something they have (their token).
Google has long recommended consumers use this kind of security when accessing its services, even offering a special type of Advanced Protection Program (APP) account for users who think they might be at high risk of attack in which U2F keys are mandatory. Tokens can also be used to add security to a growing number of other sites, including Dropbox, Facebook, and all major password managers.
Google’s statement to Krebs hinted at other security layers:
Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.
This appears to be a reference to the fact that Google’s systems can ask employees to present their keys in a number of contexts and not only when logging on to email when they start work. It’s a secondary trend in which regular re-authentication slows attackers who do somehow compromise an account.
Is the future U2F?
If U2F tokens are such an effective way to boost security, why do so few people beyond Google use them?
One would expect Google to be a big advocate as it was one of the founding backers of the FIDO Alliance under whose auspices the U2F standard was developed.
And Google has a good reason to persevere with U2F tokens in the form of another emerging standard called WebAuthn under which passwords will be consigned to history in favour of strong authentication.
Sadly, although the enthusiasm for U2F has spread to some other big companies, Google admits the same can’t be said for its its own users, most of whom have failed to turn on two-step verification in any form.
David Pottage
I think they must have adopted a rather narrow definition of “employee phishing compromise” in order to make that sort of claim. Either that or they are just not tracking many large categories of attack against employees.
For example, what about fooling staff into emailing internal confidential information to untrusted recipients posing as internal trusted staff. By this I don’t mean account passwords and the like, but sales projections, blueprints for un-announced products, or embargoed financial information.
Secondly does google make any attempt to help protect employee’s personal accounts as distinct from their work accounts. If an attacker broke into a private account and discovered that a highly trusted member of staff had a drinking or gambling problem, or perhaps had a secret abortion, then they could use that information for blackmail in order to get the employee to hand over their U2F hardware token.
In the banking industry, it has been accepted for many decades that about 1% of employees “go bad” every year. Banks can try to reduce it with internal services such as counselling, but ultimately the internal systems need to be resilient so that if someone has a drug or gambling problem and attempts to steal the bank’s money then the damage is contained. I would expect google to have similar internal controls to a bank to protect themselves *when* that happens.
ejhonda
When evaluating and addressing risks, there’s a far greater probability from employees falling victim to phishing than your percentage of those 1% of bad employees going rogue. They’ve hit the most likely risk. Good for them
John E Dunn
Their claim is as narrow as it needs to be – attackers have not compromised any company accounts since these tokens were deployed.
It’s not a magic forcefield but is still an interesting vindication of this technology.
Paul Ducklin
I’m inclined to agree with the OP. It isn’t quite clear what is being claimed here. The article (and your comment) says bluntly that “no accounts were compromised”, which is a pretty broad claim; elsewhere – including the headline – the claim is much narrower, implying merely that that no one has been phished for a password to the point that someone else was able to log in as a result.
When I saw this story going around I couldn’t help thinking of Google’s not-so-long-ago annouceent that there wasn’t any more malware for Android…
…it was all just Potentially Harmful Applications instead :-)