January 28, 2019

Google Case Study

From Google’s perspective, defending against phishing is the key to securing employees’ and customers’ accounts. With the prevalence of cloud-based services, both among consumers and within enterprises, usernames and passwords are frequently the only thing stopping malicious actors from compromising data. With authentication using FIDO protocols, the authenticator provides cryptographic proof that the user is interacting with the legitimate service, even if the authenticator’s responses is captured in transit, it cannot be successfully replayed by malicious actors to impersonate the user.


There has not been a successful phishing attack against their 85,000+ employees since requiring use of physical security keys.

Over two years ago, Google published the result of their internal implementation of FIDO U2F security keys, and reported impressive outcomes. According to the company,  there has not been a successful phishing attack against their 85,000+ employees  since requiring use of physical security keys. Since the publication of this report, Google has taken a number of other  notable steps with integrating FIDO protocols into their consumer and enterprise authentication flows.

Most recently, Google has released their own U2F hardware security key, known as the Titan Security Key. Titan Security Keys provide both a familiar USB security key and a Bluetooth version, which enables the security key to authenticate via users’ smartphones. While the Titan Security Key is available generally for purchase, it is intended largely for enterprise users, especially those who already use Google’s cloud services.

With the release of Chrome 70, Chrome will support the credential management API specified in the W3C’s recently released WebAuthn standard. This allows web applications to create and use cryptographically attested credentials to authenticate users. Crucially, this lays the foundation for fully passwordless authentication in the browser using a variety of strong credentials, ranging from U2F security keys such as Google’s own Titan key or the one built into Google’s Pixelbooks to local biometric authentication such as Apple’s TouchlD.

Ultimately, the goal is having as many users as possible on phishing-resistant authentication protocols, whether they utilize a security key, an on-device biometric authenticator, or a cryptographic handshake with the users’ mobile device.

This case study originally appeared in the Javelin Strategy & Research’s “The State of Strong Authentication 2019″ Report

MORE Building the Business Case


FIDO Seoul Seminar: Deployment Case Studies Highlight Rise of FIDO Authentication in Asia

Last week in Seoul, FIDO Alliance held a seminar for...

October 7, 2019

House Hearing on Identity Sheds Light on Need for Stronger Identity Verification Procedures

Authentication is getting easier, but identity proofing leaves security gaps...

September 16, 2019

FIDO Focus, New Work Area News Made Identiverse 2019 the Best Yet

Andrew Shikiar, executive director and chief marketing officer Identity professionals...

July 11, 2019

FIDO & PSD2 – Achieving Strong Customer Authentication Compliance Webinar

The Second Payment Services Directive (PSD2) and the associated Regulatory...

April 12, 2019
Download Specs