PiChris - Fotolia
How can U2F authentication end phishing attacks?
By requiring employees to use U2F authentication and physical security keys, Google eliminated phishing attacks. Learn how the combination works from expert Michael Cobb.
Google claimed it eliminated successful phishing attacks against its employees through the use of physical security keys and Universal Second Factor (U2F). What are these U2F authentication tools and techniques, and how is it possible for them to eradicate phishing?
Everyone uses email, which is one reason why it is such a popular attack vector for cybercriminals. It's also a simple, low-tech, low-cost attack that looks to exploit weaknesses in human nature, avoiding the need to try to breach a network's or a computer's defenses.
Phishing email messages are written and styled so they appear to be sent by a genuine business or friend known to the recipient. The email may contain malicious links or attachments or try to trick the recipient into transferring money or divulging sensitive information such as login credentials and account information. Cybercriminals are constantly creating new phishing techniques, so despite most people being aware of the dangers of phishing attacks, it still remains an effective way of stealing data and money and is a big problem for security teams.
According to the FBI, business email compromise campaigns -- attacks designed to trick company executives or accounting departments into sending money to fake vendors -- netted criminals at least $676 million in 2017.
Google claims to have successfully tackled the challenge of defending against phishing attacks by requiring employees to use Universal Second Factor authentication and physical security keys whenever they access a company account. Since early 2017, all 85,000-plus Google employees have been required to use physical security keys, and, in that time, no employee has been successfully phished.
The U2F protocol is an open authentication standard supported by the Fast Identity Online Alliance that provides strong second factor authentication to any number of accounts with one single security key. The user doesn't need to install any drivers or client software; they simply insert their USB key into their device, and tap it against a Near Field Communication-capable smartphone or connect it to an iOS device via Bluetooth, press the token's button when prompted and enter their password or PIN.
Google chose U2F authentication over software-based one-time password authentication after a two-year study showed that OTP had an average failure rate of 3%, while U2F authentication had a 0% failure rate.
U2F authentication is considered more secure than OTP because the USB key only works on sites with which the user has registered. Additionally, it protects against session hijacking, man-in-the-middle and malware attacks.
Software-based authentication relies on a shared secret between the client and the provider, so hackers can potentially intercept OTPs remotely. Also, some OTP services enable users to bulk produce and store or print OTPs for later use, for when they don't have access to their phones and need an OTP. This is pretty much the same as users writing down their passwords.
Another advantage of U2F authentication and physical security keys is that if the USB token is lost or stolen, it contains no user information, so an attacker can't determine whose it is and which apps it could be used for.
Any form of two-factor authentication (2FA) is better than using simple usernames and passwords, and organizations that handle sensitive data should look at Google's experience. While nothing can stop phishing attacks, it does appear that this defensive strategy has rendered them ineffective. Multifactor authentication or 2FA options are cheaper and easier to integrate than ever before and their cost certainly outweighs the potential costs of data and identity theft, financial and reputation damage, and potential lawsuits.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)