From Google’s perspective, defending against phishing is the key to securing employees’ and customers’ accounts. With the prevalence of cloud-based services, both among consumers and within enterprises, usernames and passwords are frequently the only thing stopping malicious actors from compromising data. With authentication using FIDO protocols, the authenticator provides cryptographic proof that the user is interacting with the legitimate service, even if the authenticator’s responses is captured in transit, it cannot be successfully replayed by malicious actors to impersonate the user.

There has not been a successful phishing attack against their 85,000+ employees since requiring use of physical security keys.

Over two years ago, Google published the result of their internal implementation of FIDO U2F security keys, and reported impressive outcomes. According to the company,  there has not been a successful phishing attack against their 85,000+ employees  since requiring use of physical security keys. Since the publication of this report, Google has taken a number of other  notable steps with integrating FIDO protocols into their consumer and enterprise authentication flows.

Most recently, Google has released their own U2F hardware security key, known as the Titan Security Key. Titan Security Keys provide both a familiar USB security key and a Bluetooth version, which enables the security key to authenticate via users’ smartphones. While the Titan Security Key is available generally for purchase, it is intended largely for enterprise users, especially those who already use Google’s cloud services.

With the release of Chrome 70, Chrome will support the credential management API specified in the W3C’s recently released WebAuthn standard. This allows web applications to create and use cryptographically attested credentials to authenticate users. Crucially, this lays the foundation for fully passwordless authentication in the browser using a variety of strong credentials, ranging from U2F security keys such as Google’s own Titan key or the one built into Google’s Pixelbooks to local biometric authentication such as Apple’s TouchlD.

Ultimately, the goal is having as many users as possible on phishing-resistant authentication protocols, whether they utilize a security key, an on-device biometric authenticator, or a cryptographic handshake with the users’ mobile device.

This case study originally appeared in the Javelin Strategy & Research’s “The State of Strong Authentication 2019″ Report


State of Michigan’s MiLogin  Adopts Passkeys

“FIDO Drives Strong  Authentication Results  for the State of Michigan’s  MiLogin” The State of Michigan’s Department of Technology,…

Read More →

Mercari’s Passkey Authentication Speeds Up Sign-in 3.9 Times

Mercari, Inc. is a Japanese e-commerce company, offering marketplace services as well as online and…

Read More →

Gemini Protects Users with FIDO Authentication

Gemini is a cryptocurrency exchange and custodian, founded by Tyler and Cameron Winklevoss in 2014.…

Read More →

12316 Next