PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

To Stop Phishing, Google Gave Security Keys to All Employees

Google's investment in giving USB security keys to all employees has been paying off. The employees haven't reported any takeovers of work-related accounts since 2017, when the new policy was introduced.

Michael Kan
 & Michael Kan Principal Reporter

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

How is Google preventing its employees from getting hacked? By using some hardware anyone can buy: USB security keys.

SecurityWatch

In 2017, the company began giving out physical security keys to all 85,000 employees. And since then, no employees have reported any confirmed takeovers of work-related accounts, Google said on Monday.

The news, which was first reported by the security journalist Brian Krebs, highlights how a physical security key can prevent your online accounts from getting breached. Simply protecting your account with a password often isn't enough. Hackers can sometimes guess them, or they can use a phishing email to trick you into giving them up.

However, a security key offers a level of protection that can stymie the best hackers from infiltrating your accounts. It works like this: Any computer that attempts to log in will need both the password and the physical key.

Security experts call this setup two-factor authentication, in which you need both the password and another piece of information to access the account. The biggest internet services, such as Google, Facebook and Twitter, actually already offer this security solution and you can use it now for free.

YubiKey Neo

The only difference is that this two-factor authentication is generally used with a password and a special code that is generated over your smartphone. Trying to hack someone with this security setup isn't easy, but it can still be done.

Recommended by Our Editors

Google Will Soon Spot Fake Calls on Supported Android Phones
Google Will Soon Spot Fake Calls on Supported Android Phones
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts

Imagine a hacker who has your phone number. He could try to trick you into giving up the special one-time codes generated over you smartphone. Other hackers have managed to crack two-factor authentication by spying over a cellular network and intercepting the SMS messages loaded with the special codes.

A physical security key solves this problem by introducing actual hardware into the equation. Password and special codes are all digital, making them easy to send and replicate. A USB security key, on the other hand, isn't. To break into your account, a hacker has to not only know your password, but personally come and steal your security key from you. This probably explains why Google employees have been so hard to phish.

If you're in the market for a security key, the most popular manufacturer of them is Yubico, which offers them starting at $20. The more expensive models can be used to connect with a smartphone or a USB-C port.

Not every site supports USB security keys, but the biggest services including Google, Facebook, Dropbox and most recently Twitter do. The whole tech industry is also working to roll out new login standards that'll help make support for the keys universally accepted.

If you're on a budget, using two-factor authentication is still recommended. But it's a good idea to generate the special codes you'll receive through an authenticator app, instead of via SMS messages.

Watch: How Your Password Was Stolen
Current Time 0:00
/
Duration Time 0:00
Loaded: 0%
Progress: 0%
Stream TypeLIVE
Remaining Time -0:00
1

About Our Expert

Michael Kan

Michael Kan

Principal Reporter

My Experience

I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.

Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.

The Best Tech I've Had:

  • My first video game console: a Nintendo Famicom
  • I loved my Sega Saturn despite PlayStation's popularity.
  • The iPod Video I received as a gift in college
  • Xbox 360 FTW
  • The Galaxy Nexus was the first smartphone I was proud to own.
  • The PC desktop I built in 2013, which still works to this day.

Read the latest from Michael Kan

Read full bio