From Google’s perspective, defending against phishing is the key to securing employees’ and customers’ accounts. With the prevalence of cloud-based services, both among consumers and within enterprises, usernames and passwords are frequently the only thing stopping malicious actors from compromising data. With authentication using FIDO protocols, the authenticator provides cryptographic proof that the user is interacting with the legitimate service, even if the authenticator’s responses is captured in transit, it cannot be successfully replayed by malicious actors to impersonate the user.
There has not been a successful phishing attack against their 85,000+ employees since requiringuse of physical security keys.
Over two years ago, Google published the result of their internal implementation of FIDO U2F security keys, and reported impressive outcomes. According to the company, there has not been a successful phishing attack against their 85,000+ employees since requiring use of physical security keys. Since the publication of this report, Google has taken a number of other notable steps with integrating FIDO protocols into their consumer and enterprise authentication flows.
Most recently, Google has released their own U2F hardware security key, known as the Titan Security Key. Titan Security Keys provide both a familiar USB security key and a Bluetooth version, which enables the security key to authenticate via users’ smartphones. While the Titan Security Key is available generally for purchase, it is intended largely for enterprise users, especially those who already use Google’s cloud services.
With the release of Chrome 70, Chrome will support the credential management API specified in the W3C’s recently released WebAuthn standard. This allows web applications to create and use cryptographically attested credentials to authenticate users. Crucially, this lays the foundation for fully passwordless authentication in the browser using a variety of strong credentials, ranging from U2F security keys such as Google’s own Titan key or the one built into Google’s Pixelbooks to local biometric authentication such as Apple’s TouchlD.
Ultimately, the goal is having as many users as possible on phishing-resistant authentication protocols, whether they utilize a security key, an on-device biometric authenticator, or a cryptographic handshake with the users’ mobile device.
This case study originally appeared in the Javelin Strategy & Research’s “The State of Strong Authentication 2019″ Report.