Beyond passwords: a roadmap for enhanced user security
Karthik Lakshminarayanan
Director, Product Management, Cloud Identity
When it comes to user security, a constant battle plays out between strong security controls and end-user convenience. Finding the right balance is well worth the effort; a well-designed and thoughtfully implemented security solution can be a true business enabler, allowing employees to work from anywhere, on any device — without compromising security. During Safer Internet Week, we wanted to share some of our views on the current state of user security, discuss a few approaches that we’ve taken to strengthen user protection, and offer suggestions on what you can do today as an organization to improve your security posture.
Passwords are ubiquitous, but they’re often not enough
Online service providers, including Google, have long realized that a password alone is insufficient to protect user accounts. Users often reuse passwords across multiple services, and if one service is compromised, all of the user’s online accounts are now at risk. Employees are also often tricked into revealing their passwords, most commonly through phishing, a technique where attackers dupe users into believing they’re interacting with a legitimate service. Phishing attacks are widespread and often effective—71 % of all targeted attacks start with spear phishing according to the Symantec 2018 Internet Security Threat Report. So how can we address the shortcomings of passwords?
2SV / 2FA as a protection against password reuse
The primary protection against password reuse by an attacker is 2-step verification (2SV), also known as two-factor authentication (2FA) or multi-factor authentication (MFA). With 2SV, a user needs two things to log into an account: 1) something they know (often a password), and 2) something they possess (the second factor), which can include hardware-based one-time password (OTP) tokens, time-based OTP smartphone apps (e.g. Google Authenticator), codes delivered via SMS or phone call, or smartphone push-notifications. Even if a user’s password is known, the attacker doesn’t have access to the second factor, so the account cannot be compromised.
Using FIDO security keys to prevent account takeovers
As is typical in the cat-and-mouse game of security, malicious activity has intensified on remaining points of vulnerability. While 2SV is a strong step beyond a simple username and password, there are still ways that it can potentially be exploited. Many 2SV methods are vulnerable to man-in-the-middle (MITM) attacks; they are no different from a password in that they can be captured and re-used by a malicious actor.
What’s missing with most 2SV methods is the ability for the technology to ensure that the user is providing their credentials to their intended destination and not to an attacker. Security keys based on the FIDO Alliance standard, such as Titan Security Keys, help solve this problem by providing cryptographic proof that the user is in possession of the second factor and that they’re interacting with a legitimate service. Security keys have been shown to be easier to use and more secure than other methods of 2SV. This level of protection is particularly important for high-value users such as cloud administrators or senior executives. Last year, Google disclosed that there have been no reported or detected G Suite account hijackings after security key deployments, a major security win for adopters of this technology.
Even more phishing and malware protection through machine learning
While FIDO security keys have proven to be a great method to protect users against account takeovers, we also work to automatically detect and prevent attacks that lead to password compromises in the first place. We use constantly refined machine learning models to quickly identify suspicious behavior and help you take action before harm is done to your organization. Examples include:
- Automatically flagging emails from untrusted senders that have encrypted attachments or embedded scripts, which often indicate attempts to deploy malicious software
- Warning against email that tries to spoof employee names or that comes from a domain name that looks similar to your own, common phishing tactics
- Scanning images for phishing indicators and expanding shortened URLs to uncover malicious and deceptive hyperlinks
- Flagging abnormal sign-in behavior and presenting these users with additional login challenges
Security Center, included with G Suite Enterprise and Cloud Identity Premium, can also help highlight potential threats, bringing together security analytics, actionable insights, and best practices from Google to empower you to further protect your organization, data, and users.
Take action today to improve user security
Strong user security is a must have in today’s world, but it doesn’t need to come at the sacrifice of user experience or productivity. End-user friendly 2SV methods can be enabled via solutions like G Suite and Cloud Identity. For your high-value employees, such as IT admins and executives, we strongly recommend enforcing security keys for the strongest account protection. Start protecting your users today with a free trial of Cloud Identity.