It turns out the key to counteracting employee phishing at Google is an actual key.
The company began using physical USB-based security keys in early 2017 and since then, none of its 85,000-plus employees have been phished on their work accounts, Krebs on Security reported today. The keys serve as an alternative to two-factor authentication, in which users first log into a website using a password and then must enter an additional one-time code that's usually sent to their phone via text or an app.
The keys don't stop phishing. But even if thieves do get hold of your password, they can't get into your account.
A Google representative told Krebs on Security that security keys are used for all account access at the company.
"We have had no reported or confirmed account takeovers since implementing security keys at Google," the representative told the publication. "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time."
Google didn't immediately comment.
Before 2017, Google employees used one-time codes generated by the Google Authenticator app, according to Krebs on Security. But a security key, which retails for as little as $20, uses a version of multi-factor authentication called Universal 2nd Factor (U2F). U2F lets users login by inserting the USB device and pushing a button on it. After the device is linked to a certain site, users don't have to enter their passwords anymore.
More sites are adopting U2F authentication, but only a small number currently support it, such as Dropbox, Facebook and Github, according to Krebs on Security. It's supported by browsers including Chrome, Firefox and Opera. Microsoft will reportedly update its Edge browser to support U2F later this year.
First published July 23 at 1:40 p.m. PT.
Update, July 25 at 9:58 a.m.: To clarify how attacks are stopped.