Phishing is a difficult problem to eradicate. The impersonation of an authority to get the log-in codes or other data from internet users is not always taken care of, and that means that especially internet users who do not have so much experience on the web can step into it. Sometimes, however, a phishing attack is set up so meticulously that even for people who spend the whole day on the web and in their mailbox all day long it is difficult to see whether it is a real or false report. Also at companies things go wrong : more than three quarters sometimes fall prey to this kind of attacks.
At Google that problem has been solved completely internally, according to an article from Krebs on Security . Since 2017, none of the nearly 90,000 employees have been hooked up there and the reason is simple: everyone at Google has been forced to switch to hardware-based 2-factor security since last year. every time someone has to log in with Google, the employees have to enter an extra code, but not on their phone. That method also turns out not to be as watertight as previously hoped, so Google uses a USB stick like a Yubikey.
Universal 2nd Factor
These special USB sticks use an open-source system called Universal 2nd Factor (U2F) and let you press a button on the stick to complete the extra check. That means that even with a username and password you will not be able to enter a Google account without the stick. Once you have logged in via U2F, you no longer have to enter a password for certain sites, unless you try it on another device. Then the stick is asked for again and that system puts phishers completely out of the game.
For now, this is the safest way, but fortunately the internet is a lot safer for everyone when it comes to your passwords and access to websites. The upcoming Web Authentication API (also known as FIDO: Fast IDentity Online) will ensure that we hardly need more passwords on the web . If this method is widely supported, phishing attacks are no longer worthwhile, because there are no more passwords to steal.
However, this is not yet the case, so if you have a lot of sensitive information or just want to be sure that your Google account remains secure, investing a few bucks in such a USB key is certainly worthwhile. If you only work mobile, there are versions that work without a traditional USB connection, so there is a solution for every way of logging in.