Google publishes two-year study on use of FIDO U2F Security Keys

Key words often associated with two-factor authentication focus on simplicity, privacy, and security. Those words, however, are broad terms that need definition in order for consumers and enterprises to form opinions and make educated buying choices.

FIDO Universal Second Factor (U2F) is no different, so Google recently published a research paper titled “Security Keys: Practical Cryptographic Second Factors for the Modern Web” to quantify the benefits the internet giant found in using U2F-based two-factor authentication.

The paper outlines Google’s use of FIDO U2F-based Security Keys, manufactured by Yubico, to harden security, improve user satisfaction, and cut support costs.

This data is far from anecdotal. It represents two years of research. The results, as compared to other two-factor authentication schemes tested by Google, showed the Security Key is simple to implement and deploy, easy to use, preserves privacy, and is secure against attackers.

Here are some eye-opening conclusions from Google’s research on its Security Key rollout:.

  • Users reduced, by nearly two-thirds, the time to authenticate with a Security Key as opposed to an OTP via SMS. Most of that time is based on the efficiency of the user since authentication executes in milliseconds.
  • In Google’s rollout, authentication failures fell to zero. The company’s support department estimates the switch from OTP tokens to Security Keys saved thousands of hours per year in cost. These efficiencies allowed Google to give each employee two Security Keys and still realize overall cost reductions.
  • Security Keys met other Google requirements that mandated simple APIs for developers, no user tracking, no identifiable user information on token as well as  protection against password reuse, phishing and man-in-the-middle attacks.

To date, the devices have been deployed to 50,000 employees, and Google reports “our users have been very happy with the switch: we received many instances of unsolicited positive feedback.”

Other technologies referenced and reviewed by Google included OTPs, mobile phones, smart cards, TLS client certificates, and national ID cards. Their research includes a comparison chart of second-factor options based on a respected usability framework published in 2012 by another group of researchers led by Joseph Bonneau, currently a researcher at the Applied Crypto Group at Stanford University.

The paper also spends a significant number of pages describing the technical underpinnings of Security Keys and how they relate to the larger concepts of simplicity, privacy and security.

Research conclusions point to immediate gain from Security Key deployments, but the findings are being offered as a starting point. “We hope this paper serves as an academic foundation to study and improve Security Keys going forward,” Google wrote.

In addition to those stats, Google has publicly presented other figures that compare Google Authenticator and Security Key. Google studies show the Security Key login process was four times faster compared to Google Authenticator (their mobile authentication app), and that use of U2F and public key crypto results in significant fraud reduction.

Talk to our teamTalk to our team

Share this article:


  • FIPS certified vs. FIPS compliant: What’s the real difference?“Is your MFA solution FIPS compliant, or is it certified?”  This is a question we hear a lot, and for good reason. In industries where security and compliance are critical (especially in government contracts), understanding the difference between FIPS certified and FIPS compliant isn’t just semantics – it can mean the difference between meeting requirements […]Read moreFIPSNIST
  • 2025 Global State of Authentication survey: A world of difference in cybersecurity habitsIn a world that’s more connected than ever, the landscape of cybersecurity threats is constantly evolving. Bad actors, now supercharged with artificial intelligence (AI), are becoming increasingly adept at exploiting human error through sophisticated phishing and social engineering attacks. This makes robust cybersecurity a universal issue, impacting everyone from individuals to the largest global enterprises. […]Read moreGlobal State of Authenticationsurvey
  • Making digital security a right: Inside Yubico’s Secure it Forward programTechnology can be a great equalizer — but only if the strongest protection is within reach. Since 2022, Yubico has donated more than 65,000 YubiKeys to hundreds of organizations worldwide — a retail value of over $3.3 million. Each key helps strengthen digital protection for those doing vital work in their communities. This isn’t just […]Read more
  • Yubico LogoYubico liefert PIN-Verbesserungen mit dem neuen YubiKey 5 – Verbesserte PIN-SchlüsselTo prepare for continuously evolving cyber threats, governments around the world are adapting and updating authentication requirements for online services which directly impact thousands of organizations and their employees. While there’s currently no universal regulation for more robust multi-factor authentication (MFA), the need is highlighted across a range of requirements including PSD2, GDPR, and the […]Read moreYubiKey