January 28, 2019

Google Case Study

From Google’s perspective, defending against phishing is the key to securing employees’ and customers’ accounts. With the prevalence of cloud-based services, both among consumers and within enterprises, usernames and passwords are frequently the only thing stopping malicious actors from compromising data. With authentication using FIDO protocols, the authenticator provides cryptographic proof that the user is interacting with the legitimate service, even if the authenticator’s responses is captured in transit, it cannot be successfully replayed by malicious actors to impersonate the user.

There has not been a successful phishing attack against their 85,000+ employees since requiring use of physical security keys.

Over two years ago, Google published the result of their internal implementation of FIDO U2F security keys, and reported impressive outcomes. According to the company,  there has not been a successful phishing attack against their 85,000+ employees  since requiring use of physical security keys. Since the publication of this report, Google has taken a number of other  notable steps with integrating FIDO protocols into their consumer and enterprise authentication flows.

Most recently, Google has released their own U2F hardware security key, known as the Titan Security Key. Titan Security Keys provide both a familiar USB security key and a Bluetooth version, which enables the security key to authenticate via users’ smartphones. While the Titan Security Key is available generally for purchase, it is intended largely for enterprise users, especially those who already use Google’s cloud services.

With the release of Chrome 70, Chrome will support the credential management API specified in the W3C’s recently released WebAuthn standard. This allows web applications to create and use cryptographically attested credentials to authenticate users. Crucially, this lays the foundation for fully passwordless authentication in the browser using a variety of strong credentials, ranging from U2F security keys such as Google’s own Titan key or the one built into Google’s Pixelbooks to local biometric authentication such as Apple’s TouchlD.

Ultimately, the goal is having as many users as possible on phishing-resistant authentication protocols, whether they utilize a security key, an on-device biometric authenticator, or a cryptographic handshake with the users’ mobile device.

This case study originally appeared in the Javelin Strategy & Research’s “The State of Strong Authentication 2019″ Report

MORE Building the Business Case

The Value of Certification

Hear from FIDO’s Dr. Rae Rivera about the value of...

October 26, 2021

White Paper: Choosing FIDO Authenticators for Enterprise Use Cases

Secure access to online applications and services has evolved into...

September 21, 2021

World’s Largest Tech Companies Drive FIDO Alliance’s New User Experience Guidelines

By Andrew Shikiar, Executive Director and Chief Marketing Officer, FIDO...

June 23, 2021

FIDO Recognition for European Digital Identity Systems and eIDAS Grows

Contributed by Sebastian Elfors, Senior Solutions Architect, Yubico Recognition of...

March 29, 2021
Download Authn Specs
Sign up for updates!Get news from FIDO Alliance in your inbox.

By submitting this form, you are consenting to receive communications from: FIDO Alliance, 3855 SW 153rd Drive, Beaverton, OR 97003, US, http://www.fidoalliance.org. You can revoke your consent to receive emails at any time by using the unsubscribe link found at the bottom of every email.