A physical key is the secret to Google employees' online security

The company says none of its 85,000 employees have been phished since it adopted the keys.

Abrar Al-Heeti Technology Reporter
Abrar Al-Heeti is a technology reporter for CNET, with an interest in phones, streaming, internet trends, entertainment, pop culture and digital accessibility. She's also worked for CNET's video, culture and news teams. She graduated with bachelor's and master's degrees in journalism from the University of Illinois at Urbana-Champaign. Though Illinois is home, she now loves San Francisco -- steep inclines and all.
Expertise Abrar has spent her career at CNET analyzing tech trends while also writing news, reviews and commentaries across mobile, streaming and online culture. Credentials
  • Named a Tech Media Trailblazer by the Consumer Technology Association in 2019, a winner of SPJ NorCal's Excellence in Journalism Awards in 2022 and has three times been a finalist in the LA Press Club's National Arts & Entertainment Journalism Awards.
Abrar Al-Heeti
2 min read
Google security key

Security keys have reportedly prevented employee phishing at Google. 

Josh Miller / CNET

It turns out the key to counteracting employee phishing at Google is an actual key. 

The company began using physical USB-based security keys in early 2017 and since then, none of its 85,000-plus employees have been phished on their work accounts, Krebs on Security reported today. The keys serve as an alternative to two-factor authentication, in which users first log into a website using a password and then must enter an additional one-time code that's usually sent to their phone via text or an app. 

The keys don't stop phishing. But even if thieves do get hold of your password, they can't get into your account. 

A Google representative told Krebs on Security that security keys are used for all account access at the company. 

"We have had no reported or confirmed account takeovers since implementing security keys at Google," the representative told the publication. "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time."

Google didn't immediately comment. 

Before 2017, Google employees used one-time codes generated by the Google Authenticator app, according to Krebs on Security. But a security key, which retails for as little as $20, uses a version of multi-factor authentication called Universal 2nd Factor (U2F). U2F lets users login by inserting the USB device and pushing a button on it. After the device is linked to a certain site, users don't have to enter their passwords anymore.

More sites are adopting U2F authentication, but only a small number currently support it, such as Dropbox, Facebook and Github, according to Krebs on Security. It's supported by browsers including Chrome, Firefox and Opera. Microsoft will reportedly update its Edge browser to support U2F later this year.

First published July 23 at 1:40 p.m. PT.
Update, July 25 at 9:58 a.m.: To clarify how attacks are stopped.