Google: Security keys neutralized employee phishing

Krebs on Security:

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity.

Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device).

Security keys have been around for a long time – I used one at an engineering firm I worked at 25 years ago – but I wonder if this kind of implementation will not only become more widely used but maybe trickle down to average consumers? Also, there are security concerns regarding plugging in USB devices at work and how secure those devices are in and of themselves. Still, a step towards a different future of passwords.