Google is sending security hardware to 10,000 Gmail customers who are at high risk of being hacked to protect them from phishing attacks, it was revealed this week. This “high-risk” cohort contains executives as well as political activists, journalists and human rights advocates. Coming hot on the heels of Microsoft’s password-free identification roll-out, Google is the latest tech giant to look beyond passwords to provide improved security for customers.
Who is receiving Gmail security keys?
Google is providing security hardware in the form of security keys to Gmail customers who it deems “high-risk” to protect them from state-sponsored attackers trying to access their systems. “It seems like the free keys are mainly for business executives, as well as human rights activists, election authorities and women at high risk of online attack such as journalists, dissidents, politicians,” says Paul Bischoff, privacy advocate at cybersecurity product comparison website Comparitech.
This is because state-sponsored groups are more likely to go after people whose data has strategic value within their organisations, explains David Emm, principal security researcher at cybersecurity company Kaspersky.
Additionally, Javvad Malik, lead security awareness advocate at security platform Knowbe4, says the common factor among those receiving a security key is their political significance. “A lot of the high-risk ones that we see in this case are mainly the type of people you would see targeted by the NSO group; politicians, activists and journalists,” he says.
What is Google’s Advanced Protection Programme?
While its secure protection package, Advanced Protection Programme (APP) has been on offer since 2017, Google took the decision to provide it for free for some users in response to a hack that affected up to 1,400 Gmail users, at the hands of Russian state-sponsored cybercrime group APT28, more commonly known as Cozy Bear.
This latest move is an indicator of a shift in the sector away from passwords, argues Bischoff. “We’re seeing the beginning of a transition away from password-based authentication to other more secure and more manageable authentication systems. Those include one-time passwords, biometric authentication, and physical keys, among others.” Passwords, or credentials, are targeted frequently by threat actors, and the Verizon 2021 data breach investigations report states that credentials are the most frequently compromised data in Europe, the Middle East and Africa at 70%, followed by internal data at 52% and personal data at 22%. “Social engineering in the form of phishing is very often the means attackers use to obtain them,” the report says.
Secure keys are built to help with this. They use public key cryptography to verify a user’s identity as well as the URL of the login page. This means they can spot an intruder even if they have obtained the correct username and password.
Microsoft released a similar product last month, and advises its customers to try two-step authentication. “Nobody likes passwords. They’re inconvenient. They’re a prime target for attacks. Yet for years they’ve been the most important layer of security for everything in our digital lives – from email to bank accounts, shopping carts to video games,” Vasu Jakkal, VP of security, compliance and identity at Microsoft, in a blog post announcing the news. Microsoft also announced that the company has introduced the option to go passwordless in order to avoid “common attacks such as phishing, password spray and credential stuffing.”
Malik says passwords will soon be a thing of the past. “I think it’s only a matter of time before we see others also trying to at least introduce stronger forms of authentication,” he says.