Could a USB security key stop you getting hacked?

Google Uses Physical USB Security Keys to Prevent Employee Phishing

Google’s 89,000+ employees have had zero phishing incidents since switching to hardware security keys in 2017

This doesn't mean that Google employees haven't possibly clicked on a malicious link in an email, for example, but that the phishing attempt didn't successfully exfiltrate any company data.

"We have had no reported or confirmed account takeovers since implementing security keys at Google", said the spokesperson. No special drivers or software are needed. And it's all due to a $20 gadget called a security key, which Google requires its employees use.

A Google representative told Krebs on Security that physical security keys are now being used for all work-related account access since early 2017. It authenticates log-ins by being inserted into the computer's USB port, with the user then pressing a button on it. Unfortunately, there are already some hacks that are capable of intercepting the codes, which are usually sent through SMS.

Google took this one step further and required all employees to start using security keys, according to Krebs. Phishing scams have effectively tricked uncountable people into compromising their online security, and one of the best ways to stop it is two-factor authentication.

This appears to be a reference to the fact that Google's systems can ask employees to present their keys in a number of contexts and not only when logging on to email when they start work.

Naked Security has discussed U2F tokens before, the basic principle of which is that users must authenticate themselves to their account using a username, a password, but also by plugging in a token that is individual to each user.

UK's May taking personal control of Brexit talks
But senior politicians here remain to be convinced the United Kingdom prime minister's bid to take back control will yield any real progress.

Security experts call this setup two-factor authentication, in which you need both the password and another piece of information to access the account. If the Security Key is present, the user will be able to log into any website that is attached to the device.

More sites are adopting U2F authentication, but only a small number now support it, such as Dropbox, Facebook and Github, according to Krebs on Security. Password managers are supporting U2F as well including Dashlane, Keepass, LastPass, and Duo Security.

Currently, U2F is supported by Chrome, Firefox, and Opera. However, the report noted that U2F is not enabled by default in Firefox. According to a recent article at, Apple has not yet said when or if it will support the standard in its Safari browser.

You can use a security key with your own Gmail account.

While we're on the subject of multi-factor authentication, I should note that Google now offers an extra set of security measures for all of its properties called Advanced Protection.

Latest News