10,000 high-risk users are being provided with free hardware security keys by Google, with the aim of better protecting their accounts from hackers.
Google says it is sending out the free Titan two-factor authentication (2FA) security keys – that provide a phishing-resistant layer of protection – to groups such as politicians, journalists, and human rights activists, who are considered to be particularly at risk from state-sponsored attackers.
Users who enable Google Advanced Protection (APP) and use a hardware security key, will need both their password and the physical key to log into their account. Meanwhile, existing Google authentication services which are less secure than a hardware key will no longer work.
Google’s announcement comes in the wake of the technology giant displaying alerts to approximately 14,000 users that their accounts had been targeted by Russia-backed hackers.
Shane Huntley, director of Google’s Threat Analysis Group (TAG), confirmed on Twitter that the hacking group which prompted the large number of alerts was APT28 (also known as Fancy Bear), which has been behind a spate of high profile attacks in recent years.
Perhaps most infamously, APT28 was responsible for hacking into Hillary Clinton’s presidential campaign and the DNC.
Huntley explained to high-risk users that it was inevitable someone would attempt to compromise their account at some point.
In a tweet, Huntley posted:
“If you are an activist/journalist/government official or work in NatSec, this warning honestly shouldn’t be a surprise. At some point some govt backed entity probably will try to send you something.”
Google says that it blocked all of the malicious emails in the latest attack, but because it believed users had been targeted by a government-backed gang it warned them of the attempted hack.
The message from Google is clear: hackers backed by the Russian government have stepped up their attacks and are not afraid of targeting a large number of potential victims at once. Even though Google has seemingly done a good job so far at intercepting the attacks, users should still be on their guard.
And for high-risk users, raised awareness, patching, and adoption of a hardware based 2FA solution such as a security key is a sensible step towards significantly strengthening defenses.