Security Keys a step in the right direction
It’s safe to say that the No. 1 reason why fraud experts and the FFIEC continue to push multi-factor authentication is because if hackers get past one factor, a second layer of authentication can significantly increase an organization’s defense against identity fraud and other social engineering scams.
In a recent KrebsOnSecurity article, “Google: Security Keys Neutralized Employee Phishing,” the popular search engine says that physical Security Keys have played a major role in protecting more than 85,000 Google employees from phishing attacks. So much so that since early 2017, not a single Google employee work-related account has been successfully phished.
The reason? Employee Security Keys.
Combined with other caller identification tools, Security Keys are a form of authentication that allows Google employees to achieve multi-factor authentication, or what they call Universal 2nd Factor (U2F), by inserting a USB device. By replacing passwords and one-time codes with a physical key, employees are less vulnerable to phishing and other identity-stealing attacks. Plus, with Security Keys, the company doesn’t need to implement special software drivers or rely solely on passwords or knowledge-based authentication (KBA) methods to access their accounts.
Using a physical USB-based device that only the user possesses to access their account, a Security Key can provide an essential second layer of defense for companies to better protect their customer accounts and confidential information, something that security experts and we at TRUSTID have endorsed all along. Without at least two factors of authentication, along with the removal of costly and nonpredictive agent-based authentication, organizations will continue to put themselves and their customer accounts at risk of fraud attacks.
Today, more and more businesses like Google, Amazon and Visa see the value that physical ownership tokens provide in authenticating customers. As much as ownership tokens are catching on with digital and physical stores, there is an equally valuable use of mobile and landline phones as authentication tokens in the telephone channel. Using something the user has, such as a smartphone, key fob or SIM card, along with other credentials that don't require something the user knows (password, PIN or answers to security questions), can help build a stronger defense against today’s advanced fraud and social engineering scams.
For organizations striving to achieve true multi-factor authentication, Google's alternative approach of arming employees with Security Keys to protect their accounts is a step in the right direction.