Google Employees Use a Physical Token as Their Second Authentication Factor

Krebs on Security is reporting that all 85,000 Google employees use two-factor authentication with a physical token.

A Google spokesperson said Security Keys now form the basis of all account access at Google.

“We have had no reported or confirmed account takeovers since implementing security keys at Google,” the spokesperson said. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”

Now Google is selling that security to its users:

On Wednesday, the company announced its new Titan security key, a device that protects your accounts by restricting two-factor authentication to the physical world. It’s available as a USB stick and in a Bluetooth variation, and like similar products by Yubico and Feitian, it utilizes the protocol approved by the FIDO alliance. That means it’ll be compatible with pretty much any service that enables users to turn on Universal 2nd Factor Authentication (U2F).

Tags: , , ,

Posted on July 26, 2018 at 12:18 PM51 Comments

Comments

Greg Glockner July 26, 2018 12:30 PM

Forgive the naive question: does a physical security key give significantly more security than a TOTP app on a smartphone? Let’s assume you don’t have a password database on the smartphone, and that you have some kind of remote wipe capability in case the device is lost.

ramriot July 26, 2018 12:58 PM

It’s a start, but until we get a better 1st factor than shared static secrets (passwords) we will not be progressing very far. What is needed is Pseudonymous Zero Knowledge Proofs with lifecycle key recovery systems. Fido is almost there with Fido2-UAF & WebAuth is a good universal connector but so far only SQRL seems to fill all the boxes, though its not quite release ready.

Matt July 26, 2018 12:58 PM

@Greg Glockner: The thing that comes to mind is that a smartphone, being a general computing device, can plausibly be hacked/rooted so as to allow an attacker to retrieve the current TOTP code at any time. Weaknesses in the operating system could allow a hostile app to get access. A physical key has a specialized purpose and a much simpler interface: it does nothing besides its intended purpose.

Potentially, someone could get access to the physical key and reprogram it (or replace it with an apparent identical duplicate) to do something nefarious, but that would be much more difficult than hacking a smartphone.

The duplicate attack could be a way to substitute a dummy device that doesn’t work, which might prompt the user to use recovery codes to disable 2-factor auth temporarily, weakening their security long enough for an attacker to get in (maybe they already have the password). A more high-tech approach, like cloning the security key onto another key that also has malicious code in it (that would somehow, I dunno, pass the key through the Internet to the attacker in real time) is theoretically possible too.

Carl 'SAI' Mitchell July 26, 2018 1:00 PM

@Greg Glockner

Yes. A smartphone can get malware that steals the TOTP secret keys (the ones used to generate the 6-digit codes). A hardware security key is substantially more difficult to compromise, because they can’t have their firmware updated after manufacture (at least for the decent ones).

Jeremy July 26, 2018 1:11 PM

After reading only the first couple lines, I was suspicious this was going to be a gag article saying Google locks the doors to their office buildings and their employees need specialized physical tokens, called “keys”, to get onto the premises.

youcantbeserious July 26, 2018 2:17 PM

@justinacolmena Perhaps you could suggest US atm manufactures to abandan pin also ? Most countries are able to see what you buy. Any non US citzen traveling to the US CC details are shared with them so they can be tracked with everyone else.

justinacolmena July 26, 2018 2:42 PM

@youcantbeserious

I am not suggesting “abandoning” the PIN, two-factor authentication, or other security measures.

I am suggesting that the banking cartel cease and desist from “mandating” commercial “solutions” which on the one hand are uniform and standardized throughout the world, and on the other hand proprietary, bug-ridden, and intentionally crippled with regards to any reasonable measure of true security.

Alex July 26, 2018 3:18 PM

I wonder if the Bluetooth stack in Google’s new device is vulnerable to the Bluetooth issue posted on this same blog yesterday

Alejandro July 26, 2018 3:34 PM

I wondered when the idea of a physical key would go full circle.

If I am not mistaken, Yubi keys are made in the USA and Sweeden, only. Well, that’s one out of two we can trust.

Generally, I like the idea of a physical key a lot. I forget, what happens if you lose it?

Humdee July 26, 2018 4:51 PM

‘Titan Security Key gives you even more peace of mind that your accounts are protected, with assurance from Google of the integrity of the physical key.”

That admission ends any hopes that I had for the project.

BTW, I, somewhat surprised that @Bruce didn’t highlight this as yet another step in the feudalization of the internet.

Alejandro July 26, 2018 5:41 PM

@Humdee

I wouldn’t buy a Google Key either. However, stock Yubi keys are readily available for example on Amazon, different flavors, different prices. One of the reviewers points out it plays nicely with Password Safe which has some connection with this site I think.

I am not familiar with the term ‘digital feudalization’ so I looked it up on Wikipedia which explained it all:

“Digital Feudalism is a theoretical framework for analyzing legal frameworks and power relationships in a networked ecosystem. Originally developed by Sascha Meinrath, James Losey and Victor Pickard[1] the term builds on Habermassian theory while connecting histories of Enclosure and Feudalism. Combining legal analysis and social theory, Digital Feudalism is encapsulated in the seminal work by Meinrath, James Losey, and Victor Pickard.[2] Meinrath et al. analyze various mechanisms through which private actors undermine the democratic and participatory platform of the internet. These processes include enclosure, where private actors overtake previously common territory, and Hamermasian re-feudalization wherein commercial interests dominate the public sphere.”

So that pretty much explains it!

😉

RealFakeNews July 26, 2018 5:56 PM

It all depends on the sensitivity of the app and the risk of the user at that point in time.

Risk OF the user? Not TO the user (and their operating environment)?

Anyone else think Google are using this because they’re worried about their employees working against them?

I ask because use of 2FA doesn’t prevent their computer being compromised, photos of the screen being taken, or duress.

65535 July 26, 2018 5:58 PM

Brian Krebs’s story of the success of physical keys or doggles is a little confusing and overstates the advantages of said physical USB keys.

Many Krebs on Security posters point out that Titan Security Key secures against account takeover’s but doesn’t secure against booby trapped emails or email attachment containing malware. Further, Google owns its servers with other security measures to keep malware from entering Google’s systems in addition to the use of physical keys for many years before this new “ Titan product” came about.

In short the story is good but not great. Also, Krebs uses Google for Distributed Denial-Of-Service [DDos] attacks and may have been manipulated by Google to help sell their new “Titan” key.

I don’t really know the whole story but I think the Krebs’s posters are correct that booby trapped email my still infect email and this particularly true of little windows shops even with the Titan key. These physical keys are a step forward but are not a silver bullet to the malware problem. Here are Krebs commenter’s that seem mostly correct.

[Posts for Krebs on Security]:

“PhishKill
July 24, 2018 at 12:51 pm

“This prevents account takeovers, but doesn’t seem to do anything about malware attacks that come through phishing. Seems like it leaves people open to ransomware and other kinds of malware. If I am misunderstanding the purpose, plz correct me… seems like this should make clear that it protects against account hijacking, not phishing attacks in general.”

https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/comment-page-3/#comment-470606

[same topic from a different posters]

“Bob
July 24, 2018 at 11:42 am

“This article overstates the protection provided by security keys. Yubico makes it clear that Yubikeys solved the account takeover problem, not the entire phishing problem.

https://www.yubico.com/about/reference-customers/google/

“That still leaves these phishing problems which are not account takeovers:
– If you trust the machine, then you can log on to that machine (and so can the bad guy) without the device
– Every app doesn’t support these devices, so some stolen username/passwords remain valuable
– Users can still load malware from attachments and evil websites. These undefended compromises could be ransomware, remote command and control, spyware, keystroke catchers, lateral movement, privilege escalation, etc.
– The business email compromise doesn’t use stolen credentials. The authorized person with the credentials enters the bad data following instructions from the phisher. The FBI found that the business email compromise was the leading internet crime.
– Protected sessions can be hijacked, so the bad guy merely uses remote C&C to monitor when the user starts a session.
– Users can still divulge data in email correspondence… giving up payroll tax returns or merely providing information in the text of communications.
Security keys provide an important layer of protection. They don’t solve the phishing problem.”

https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/comment-page-3/#comment-470594

“Steve
July 24, 2018 at 4:48 am

“I’ve been using YubiKeys with LastPass since that option became available. Doing that, plus taking advantage of the password manager’s ability to generate and easily store, manage and fill in different, complex passwords for each website, make it a solid option… YubiKey in this application is only used as a OTP to supplement the master password… a lot of confusion out there, over terminology: U2F is not the same as OTP… the article erroneously claims LastPass supports FIDO U2F. They do not, and it has been a major irritation that they refuse to do so with the classic “you go first” argument: they won’t do it until all the major web browsers do. Instead, they use a OTP generator, either in hardware (original YubiKey or Authy or Google Authenticator). The original YubiKey only supported a couple of OTP technologies, and U2F was added later, to the $50 models… contrast, the inexpensive U2F-only keys, like the Feitian products, only support U2F, not OTP.

“It’s … important to understand the history: Google has been using U2F for many years. Google was a co-developer of U2F. I was a beta tester of the first Yubico-manufactured U2F keys, built for Google and used solely on Chrome Browser and Chrome OS. However, that original (and still available) option to use a U2F key for 2FA can be bypassed if necessary, by using a backup method of exchanging a one-time PIN… different about “Advanced Protection” is this: under Advanced Protection, those backup 2FA options are removed, so a perpetrator can’t phish their way in, by invoking one of the less-secure recovery options — they must have your physical key… I think it was mentioned in the Wired article, that you’ll need to carry both keys with you (in your pocket or on a key chain). This is a terrible idea, as you could lose both of those keys at once. Either do that and get a third key, or only carry one key at a time.”

https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/comment-page-3/#comment-470547

[The walk back by Krebs]

“Eric Wilfong
July 25, 2018 at 12:34 pm

“This is an important distinction re: LastPass. The article should be updated to reflect this as the whole point of U2F is to prevent the phishing methods available for OTP 2FA. Claiming that LastPass supports U2F is incorrect.”

https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/comment-page-3/#comment-470804

“BrianKrebs
July 25, 2018 at 4:13 pm

“Yup. I wanted to check with LastPass before updating the story. I’ve done that and updated the piece with their comment. Thanks.”

https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/comment-page-3/#comment-470822

[Krebs update to story]

‘Update, 4:09 p.m. ET: An earlier version of this story incorrectly stated that password manager LastPass supports U2F with Yubikeys… l readers commented that LastPass in fact does not support U2F, despite literature on the company’s site that seems to suggest otherwise. I checked with the company, and they confirmed that only Yubikey plus a one-time password (OTP) will work with LastPass for now. From their statement:

“Although supported by some large organizations, including Google and Github, U2F still doesn’t have widespread support among web sites. Although we have been following its progress since it was first announced, LastPass does not support U2F at this time. Only Yubikey with OTP will work with LastPass right now. However, since Yubikey added U2F to their keys, they have a dual OTP+U2F mode, which is the default. The chip on the key can tell whether the computer is asking for the OTP or U2F, and to send the right response.”-Krebs on Security

https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/

[Odd timing of product Titian key and the Krebs story]

“RingZero
“July 24, 2018 at 6:07 pm

“…this is not news… seems to be more of a product advertisement for an upcoming Alphabet product. The slowest tortoise in the INFOSEC race (i.e. the US Government) deployed 2FA on hardware tokens 13 years ago… four years after Sun Microsystems. For …tinfoil hat wearers out there, the crypto processors on them weren’t developed by the USG, either. Commercial companies like Oberthur, Gemalto, SCM, etc. and designed to use standards-based x.509 certs and OTP technologies. Widespread adoption of 2FA is still a great thing that reduces the inherent weaknesses of the human factor, but it still does nothing for userspace malware or OS privilege-escalating exploits.”

https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/comment-page-3/#comment-470678

“RingZero
“July 26, 2018 at 11:21 am

“Edit: I had no firsthand knowledge Google was going to start selling their own U2F key when I wrote yesterday’s comment. The whole original writeup seemed a bit phishy (pun intended), and looks like my instinct was dead on…”

https://www.cyberscoop.com/google-titan-security-key-2fa-anti-phishing/

[Krebs replies]

“BrianKrebs
“July 26, 2018 at 11:38 am

“What was phishy about it? …I said on Twitter to someone who insinuated this was timed to Google’s announcement about its own key…Google told me about the lack of successful phishing attacks against its employees almost two months ago. I sat on this story until this week because I had bigger stories to chase. But go ahead and read into what you want.”

https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/comment-page-3/#comment-470932

Let hear from the security experts, does this physical Titian Key “neutralize” phishing and malware or just solve account takeovers? Is Google’s servers doing the heavy lifting for malware or the Titian key? Is this a well timed article which helps Google sell the Titian Key despite glossing over other security measures at Google? What do you think?

Excuse all of the typos and other errors I was in a hurry.

Mark July 26, 2018 7:38 PM

I’d argue using their own software (Google Authenticator) is a better method. Using it on an Android phone, however, is an issue, given how poor Google’s Android security is.

Obijan July 26, 2018 7:53 PM

Somebody explain to me why everybody is freaking out?

  • U2F is an existing, well-documented standard
  • It does a fairly good job of easily authenticating people and preventing phishing attacks
  • It does not protect you from malware, earthquakes, bears or torture
  • Yubikey and a bunch of other vendors are have been selling U2F compatible keys for a while now. Most of them are OK.
  • Google, Facebook, Dropbox, github and some others support U2F for login
  • Now Google is ALSO selling U2F keys and everybody loses their minds?

Sed Contra July 26, 2018 8:35 PM

“Consolidate all your debt into one low monthly payment.”

Consolidate all your surveillance capitalism into one simple token.

Mercantile July 26, 2018 9:52 PM

“and preventing phishing attacks” -Is that even true? Mitigating some things sure.

echo July 26, 2018 10:59 PM

On the technical side I thought these tokens were brilliant until I looked at their price and slowly discovered what they did and didn’t do. At the moment I have more reasons not to buy one than to buy one. I will wait until Shinzen manufactures a metallic pink encrusted in Swarovski crystals Magic Security Ring +100 and its available on EBay.

So if some buys a Google physical token (or from another supplice because “compeition law” Google will delete the telephone number their socially engineering end users to divulge? And the NSA too? And other agencies this information has been divulged to? If not then when can be expect another multiple billion Euro fine?

me July 27, 2018 2:17 AM

Greg Glockner and @everyone
Remember that yubikey and other security keys can’t help you if your pc is hacked because:
1-the hacker can use your yubikey when it’s plugged in the pc
2-if it has a pin (for digital signatures) it doesn’t matter as it can be keylogged
3-the “require touch to make a one time password” is VERY GOOD as the attacker can’t request codes just because the key is plugged, otherwise the key is not much different from an authenticator app
4-i general hacker can steal authentication cookies if he has access to the pc

but all of this doesn’t matter as the key is intended only to prevent account take over via phishing, as far as i know.
yes, second factor (totp) can be phished like password (doesn’t work with u2f) but if it is correctly implemented you can’t use the code (valid for 30 seconds) both for login and for disable 2fa (which require code too)

tl;dr get a yubikey or authenticator app or any other key you trust, avoid sms and stay safe.

sitaram July 27, 2018 3:41 AM

@Greg Glockner — the big different in U2F is that a website that looks similar to the one you wanted to visit, can never get the U2F device to work. Somewhere in all the crypto, the actual domain name — as reported to the U2F by the browser — plays a part. So “paypa1.com” (that’s a digit “1” not the lowercase “l”) will produce garbage at some stage in the process.

Sorry it’s been a long time since I looked at it and my memory isn’t what it used to be.

There is one assumption that U2F makes, and it’s a pretty common one: TOFU, a.k.a “trust on first use”. U2F assumes that the registration step is not compromised; i.e., you were in a safe environment at the time you registered.

sitaram July 27, 2018 3:46 AM

@Mark

I’d argue using their own software (Google Authenticator) is a better method.

Not really, for the simple reason that this relies on you not being fooled by “paypa1.com” into thinking it is “paypal.com” (to use a silly example). U2F is not fooled by that; see my reply to Greg Glockner above.

I do agree about Android security. All but 2 of my TOTP codes are actually on my laptop, and I use “oathtool” to produce the numbers when needed.

Final point, about “their own software”: Google Authenticator is actually pretty crappy; last time I looked it didn’t have a separate PIN (i.e., separate from the phone’s own lock code/pin/pattern/whatever). Since GA is only implementing RFC 6238, you should pick one of the many others. I use “Android Token”; it has an extra PIN so even if someone swipes my phone he still has some effort to make to get the codes.

Ismar July 27, 2018 4:24 AM

I see this as a positive development as one of the major players adopting a good and tested security standard instead some proprietary implementation.
It gives U2F huge new momentum and contributes to more secure systems
Now can I have my free security token as promised Google? Just joking, just joking

Bauke Jan Douma July 27, 2018 5:37 AM

@Alejandro • July 26, 2018 5:41 PM

Nice strawman: what pray tell is ‘Hamermasian ‘ [sic]?

wiredog July 27, 2018 6:13 AM

Lots of people posting here who seem to think this is a terrible solution than because it’s produced by a Google which is a Large American Company, and besides, All Security Can Theoretically Be Compromised.

This and a passphrase is a better solution for account security than SMS and a passphrase, and SMS and a passphrase is better than just a passphrase.

Frank July 27, 2018 6:14 AM

Perfect security is terrifying. It will result, inevitably, in perfect government or corporate control. If Facebook doesn’t want you to have an account, without them knowing who you are, the physical token accomplishes that. You have to order it. It is sent to your physical address. It is the same every time you login from anywhere. And when govt makes a law, as the very next step in the process, to force corporations to turn over that token fingerprint to them, govt gets that level of identifying anyone online.

Free speech will be gone. Say the wrong thing, and you lose all your online social media accounts. No more Federalist papers. No more dissent. Buy the right hat with the right saying on it, and wear it whether you agree or not. Perfect security is institutional terrorism.

Alejandro July 27, 2018 6:56 AM

@Bauke Jan Douma

Re: “what pray tell is ‘Hamermasian ‘ [sic]?”

Beats me!

You might have missed the “;-)” at the end of my comment.

However, digital feudalization may have something to do with “commercial interests dominate the public sphere” and in the case of the google, fb, apple, ms etc. the movement towards digital corporations taking virtual possession of their users via their personal data. I am pretty sure the corporations are literally taking over most of what we used to think of as personal and public space and possessions.

An example might be using a Google Yubikey might then makes one a Googlian tribe member.

Slaves to the google. Meanwhile, the corps fight over us.

WeskerTheLurker July 27, 2018 8:29 AM

Maybe I’m just ignorant, but I’m not sure what’s so impressive about Google using a physical security key when the US Government (and presumably any nation who’s ever imported crypto gear from the US) has been using them for a long time.

Its great to have an extra layer of security for your account. It still won’t necessarily help you if the machine/terminal that you trust has been hacked. And if its a foreign intelligence agency Google’s worried about, then it can be relatively easily bypassed with some good old HUMINT.

Methinks this is just a marketing ploy a la IHOb.

Feel free to correct me if I’m mistaken.
-Wesker

AlanS July 27, 2018 8:49 AM

Yubico’s Key of Trust post:

Today, Google released their own version of a security key, and while we have received the question if we were part of this production, these devices are not manufactured by Yubico. Yubico strongly believes there are security and privacy benefits for our customers by manufacturing and programming our products in the USA and Sweden. Google’s offering includes a Bluetooth (BLE) capable key. While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability. BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience.

Frank July 27, 2018 9:08 AM

“Once FIDO/U2F is supported in all major browsers (the U2F standard is currently only supported by the Chrome browser, with Firefox support in beta), we will add LastPass support for this MFA. ”
https://lastpass.com/support.php?cmd=showfaq&id=8126

Translation
(ordinary consumer choices)

amazon.com prices

$50.00 for a “Yubico YubiKey NEO – USB-A, NFC, Two-Factor Authentication

$16.99 Feitian ePass NFC FIDO U2F Security Key

HyperFIDO Mini – U2F Security Key $9.73
(i use 1 for email)

Universal key based U2F devices needs to cost about $5 to facilitate wide use and purchase of multiple keys for multiple devices and portability of use. Yubico prices = niche market and use. IE: IT security fail
Browser providers need to adopt and integrate the FIDO spec asap.

Could fido u2f be embedded into devices or embed NFC authentication?

Clive Robinson July 27, 2018 9:19 AM

@ echo,

I will wait until Shinzen manufactures a metallic pink encrusted in Swarovski crystals Magic Security Ring +100 and its available on EBay.

OK that’s the bells, but what about the whistle at 1600Hz so you can “phone freek” old school, like they did with Captn Crunch decoder rings B-)

AlanS July 27, 2018 10:50 AM

@Frank

U2F is fully supported in current versions of Chrome, Opera and Firefox.

Yes, the Yubikey Neo which supports NFC and lots of other stuff costs $50. They are often on sale. I’ve seen them as cheap as $30 each if you buy two. A basic Yubico FIDO2 + U2F is $20 or $18 a piece if you buy two.

I think Yubico may be the only company selling FIDO2 U2F keys at the moment, although I’m not sure the new FIDO2 features are anything I’d want to use.

Clive Robinson July 27, 2018 11:48 AM

@ AlanS,

Those 2600 Hz whistles

That’s maybe why this “deaf old git” can’t hear them any more over the tinnitus whistle 🙁

Humdee July 27, 2018 12:07 PM

For those who actually care the term “Habermassian” refers to the political theory of Jurgen Habermass.

https://en.wikipedia.org/wiki/J%C3%BCrgen_Habermas

FWIW I used “feudalization” in this context more narrowly as simply building brand affiliation (in this case with Google) as opposed to an open source like FIDO. In a minor why this does play into “digital feudalization” writ large but I wasn’t specifically invoking that broader concept.

Clive Robinson July 27, 2018 12:14 PM

@ ALL,

None of these tokens are “secure” to much more than “Teenage girl diary” standard when the computer they are connected to is also connected to the Internet or other communications network.

As others above have noted if your computer can be accessed by others, after you have authenticated to any security device or Application on it, then the attacker atleast has access to the plaintext interface by an “end run” attack to the HCI device drivers.

As @Nick P, myself and others have pointed out fairly regularly this type of insecurity has been known since atleast the 1960’s if not longer… Worse there is a distinct missunderstanding about what you should be authenticating. Often people incorrectly authenticate a comms channel not a transaction across a comms channel.

It’s one of the reasons I talk about “energy gapping” two devices and the difference between working in “Off-line” or “On-line” modes and transferring information across the gap by data diodes and similar strongly instrumented and mandated interfaces.

Dom July 27, 2018 1:21 PM

Do people not use docker, VMs or otherwise work remotely at google? I typically do my work on a VM’s remote desktop using VNC with encryption. Work related web pages are opened there. The yubikey would not function in this scenario, I believe, because it needs a direct USB connection.

For a hardware solution, I’d rather use an old fashioned key fob and type in a token. The yubikey does too much “magically/transparently” for my taste.

65535 July 27, 2018 1:53 PM

@ Mercantile

‘”and preventing phishing attacks” -Is that even true? Mitigating some things sure.’-Mercantile

Exactly. The Google Titan key only mitigates a phishing attack. It could help greatly in account takeovers but doesn’t not stop cleverly crafted malware from infecting a machine. Google’s servers probably have other methods to protect their internal network with scanning, filters, AL, and so on. Google has huge resources to protect their own equipment but the mom and pop shops do not.

In my prior post this sentence got mangled:
“…Krebs’s posters are correct that booby trapped email [my => may] still infect email and this particularly true of little windows shops even with the Titan key.”-65535

@ echo and Frank

“I thought these tokens were brilliant until I looked at their price and slowly discovered what they did and didn’t do. At the moment I have more reasons not to buy one..”

Yes, there are still many compatibility issues along with google back dooring their products. This was commonly noted in Krebs on Security comment section.
“Universal key based U2F devices needs to cost about $5 to facilitate wide use and purchase of multiple keys for multiple devices and portability of use.”- Frank

Yes, that is a fair statement. Some people recommend a back key so you have to keys and others say 3 keys would be the best option when losing a key. Costs do make a difference in adoption rates.

@ me

“Greg Glockner and @everyone
“Remember that yubikey and other security keys can’t help you if your pc is hacked because:
“1-the hacker can use your yubikey when it’s plugged in the pc
“2-if it has a pin (for digital signatures) it doesn’t matter as it can be keylogged… but all of this doesn’t matter as the key is intended only to prevent account take over via phishing, as far as i know.”

Your last statement on preventing account takeovers seems to be on target. That is the bottom line statement of the Google Key. Sources, of infection can easily happen to your machine regardless of the Google key.

@ sitaram

“…one assumption that U2F makes, and it’s a pretty common one: TOFU, a.k.a “trust on first use”. U2F assumes that the registration step is not compromised; i.e., you were in a safe environment at the time you registered.”

That is a good point. The key is designed by Google and probably made in Asia. That is not a comforting thought since Google has the “collect it all” mentality.

[and]

“It still won’t necessarily help you if the machine/terminal that you trust has been hacked. And if its a foreign intelligence agency Google’s worried about, then it can be relatively easily bypassed with some good old HUMINT. Methinks this is just a marketing ploy a la IHOb.” –WeskerTheLurker

True. Google almost never misses a chance to make money while consolidating power.

@ Sed Contra

“Consolidate all your debt into one low monthly payment.”
“Consolidate all your surveillance capitalism into one simple token.”

That is funny but probably true. This goes double when dealing with Google. They like to collect everything – including locations.

@ Frank

“…in perfect government or corporate control. If Facebook doesn’t want you to have an account, without them knowing who you are, the physical token accomplishes that. You have to order it. It is sent to your physical address. It is the same every time you login from anywhere. And when govt makes a law, as the very next step in the process, to force corporations to turn over that token fingerprint to them, govt gets that level of identifying anyone online… Say the wrong thing, and you lose all your online social media accounts. No more Federalist papers. No more dissent. Buy the right hat with the right saying on it, and wear it whether you agree or not….”-Frank

I hear you. That is a good point.

@ Alejandro

“…digital feudalization may have something to do with “commercial interests dominate the public sphere” and in the case of the google, fb, apple, ms etc. the movement towards digital corporations taking virtual possession of their users via their personal data. I am pretty sure the corporations are literally taking over most of what we used to think of as personal and public space and possessions…. example might be using a Google Yubikey might then makes one a Googlian tribe member.”

This very true of Google. I could easily see a situation where this Google Key provides consolidation of power over their rivals. This could be data grab game.

@ AlanS

“Yubico’s Key of Trust post: Google released their own version of a security key, and while we have received the question if we were part of this production, these devices are not manufactured by Yubico… Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability. BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience.”

That is a very good point. I would trust Yubico more than Google for the reasons above and the fact Google tries to collect every piece of information on almost everyone.

WeskerTheLurker July 27, 2018 2:26 PM

@65535 and others

Just to add on to what’s been said, I personally think that this might have a dangerously negative impact on your average Joe’s security, even after ignoring all the worries about backdoors and data grabbing.

Why? Because it gives a false sense of security greater than its actual value. Someone not too knowledgeable or skeptical will see the “no successful phishing!” spiel by Google, gets cocky with internet security, and whoops – Joe’s business servers are now filled with cryptominers and other malware. Granted, I think it’s still better than 1FA, but again, it won’t protect you if you’ve got more trojans than Troy itself.

-Wesker

AJWM July 27, 2018 3:37 PM

@Carl ‘SAI’ Mitchell

“A hardware security key is substantially more difficult to compromise, because they can’t have their firmware updated after manufacture”

Of course, that presumes it hasn’t had its firmware updated during manufacture.

How do you independently verify the physical key? How far do you trust Google, or whoever their manufacturer is? (And it’s not just a question of trusting their management, but also their security practices.)

65535 July 27, 2018 3:43 PM

@ WeskerTheLurker

“I personally think that this might have a dangerously negative impact on your average Joe’s security… it gives a false sense of security greater than its actual value. Someone not too knowledgeable or skeptical will see the “no successful phishing!” spiel by Google, gets cocky with internet security, and whoops – Joe’s business servers are now filled with cryptominers and other malware…”

That is a good point that I did not cover. Sometimes it is better to be vigilant and so called “paranoid” then to be blissful of new shinny toys that really don’t protect you or overstate their actual and usable security. I see this type of thing while actually evaulating “security experts” who have no real security on their own websites, machines or security training. Some of “security experts” are just charlatans peddling snake oil.

Clive Robinson July 27, 2018 8:49 PM

@ AlanS,

I sympathise, as another old git with that whistle.

Have you been accused of being “selectively deaf” yet?

Those close to me, especially those of the “female of the species” have hinted some what directly that my inability to hear them is shall we say advantageous to me, thus could be affected…

As you can probably guess patiently explaining that their higher frequency voices are closer to the whistles in my head and that the brain tries hard to autocorect for the “drop out” but gets it wrong sometimes, does not earn me any favours. You usually get the old “I knew you would say it was my fault” response… or worse.

I’ve come to the conclusion that in “the battle of the sexes” the most usefull thing to have is not stubbornness, or bravery, but a fleet pair of feet[0] 😉

But of course the real enemy is “knowing thine enemy to well” that is familiarity[1] enables you to know in advance just what they are going to say more than half the time. So like Napoleon you build up a stock of “pre-prepared responses”[2]. Which of course sometimes goes horribly wrong. Thus along with fleet feet the need for a man cave with well sound proofed walls, that being lined with books can give you 😉

[0] Of course if you have read “The Art of War” you would know the most sage piece of advice is that “If you have to fight, pick the time and place most favourable to your success” as an attacker, and as a defender “Move in a way so as to frustrate your enemy gaining advantage of place and time”. Thus add a “Drunkards walk” to your skill set 0:)

[1] Not of course the “familiarity that breeds contempt”, but you might hear it said by your “lady of the house” when it does go horribly wrong :-S

[2] Whilst it is known that Napoleon had the bad combination of being “totaly tone deaf and liking to sing, and the power to get away with it” the jury is still out on his actually having defective hearing in other ways. Some historians think his stock questions and answers, were just a way of a genius trying to affect the common touch of small talk.

Clive Robinson July 27, 2018 9:47 PM

@ Carl ‘SAI’ Mitchell,

A hardware security key is substantially more difficult to compromise, because they can’t have their firmware updated after manufacture (at least for the decent ones).

Whilst that used to be true some time ago it is nolonger the case with Flash Rom and electronic connections such as USB usage with “tokens” / “keys”.

If you look back far enough on this blog, you should find conversations between myself @Nick P and others on authentication tokens for banking.

Put simply for over two decades now I’ve been warning about how “side channel devices” cease to be “secure devices” when they become directly connected to the primary communications channel device.

Let’s just say as the idiot that thought up how to make SMS reliable to make it usable as a “side channel” for banking and the like back in the 1990’s, I’ve been thinking about how to properly extend the authentication path “through the human” for quite a long time now.

thepasswordmaker July 28, 2018 1:23 AM

With so many backdoors in software and hardware products around, I’m wondering how could someone trust these devices. And when I say ‘these devices’ I mean all of them. How can someone say and prove they are “secure”? I wouldn’t stick one of these even into a computer at home. And the maker is Google… oh, really, Google helps me to protect my data?! Aren’t we expecting a security key from Apple too? PS: I don’t trust any manufacturer and would never use such a key.

echo July 28, 2018 1:36 AM

@Clive

I have discovered a few industries tend to treat the human being as a object The games and now HCI (Human Computer Interface) industries are two. There are others. If I recall viewing the person as an inclusive part of the narrative mechanism, more akin to the movie-culture-social experience, was hijacked by HCI and marketing which has morphed into UX (User eXperience) which again places the human in a position of object as can be seen by the trend of projecting “flat design” on the world by trendies who were in nappies when the first big HCI studies were done.

I suspect sexism and ageism and ignorance are in the mix somewhere which may mean it’s worth discussing the subject with a decent psychologist and sociologists. I know there is an in-built overlooking of technical-social systems or not taking them seriously but the technical cannot be isolated from this. Modes of reasoning may be an issue.

Nobody commented on Escape Plan 2. I suspect because nobody was paying attention and missed the dialogue about security systems. It covered mapping a system and randomisation, and having somebody to help on the inside or outside. It was quite deep really.

I think it may all boil down to knowing when to hit the “off” switch.

A Very Nice Human Being July 31, 2018 3:29 AM

  1. Is this a stand-up routine? We are talking about google here. The bigger the front the bigger the back.
  2. What else is this magic ring doing, alongside its stated function? What else is it profiling?
  3. Why would you want to be reliant on google products – to the extent you financially commit yourself to being locked into using google products?

Weather July 31, 2018 3:34 AM

No it is not a joke, it’s 5-7 years old so my memory can’t recall all of it, but anyway….

PeaceHead August 1, 2018 7:18 PM

I like the idea of dipping back into the blacksmith arts.
That’s a high art and science to me.

It allows for the eventual re-shedding of electronic slavery.
But it’s only accessible to those who seek it.
Meanwhile several billions of lives are being herded into digital slavery (slavery to electrons is not my idea of a good time).

physics have true utility. Too much of so-called civilisations built upon electrons (and/or the existential threat of atoms splitting) is not proven to be reliable with comparison to the age of humanity or any other form of older biology.

A wall needs to be a wall.
And thus, when a wall is a wall, it indeed is a wall.

All in all it’s just another Buddha next to the wall.
What’s a wall?

Slavery to the threat of atoms splitting (nor joining!) is not my idea of a good time.
Meanwhile the idiot savants think they can solve our problems by creating miniature black holes or by bringing back space microbes from other planet(oids).

Naw, we really don’t need any more viruses, bacteria, parasites, nor toxic chemicals or compounds.

Colonozation of Mars won’t solve any Earthbound problems, it will make them worse.
Sure, not directly related to physical tokens, but if only we could transport all the cybercriminals and toxic aristocrats and toxic technocrats to another planet and just be done with them. That would be a nice “air gap”. But alas, there’s profound realisation in the study of just how interconnected lives truly are, depsite the sociopathological tendencies of the exploiters.

Back to Liars and Outliers for more study.
Combine it with The Good Show (from Radiolabs, on NPR); tit for tat; Be Nice First; with adequate mathematical and sociological tolerance for accidents, communications errors, misinterpretations of observations, and intercultural confusions.

I truly believe the future of security sciences is not within computer science whatsoever.
Thanks Bruce Schneier Collective for giving some of us a slight head start on considering these important ideas some years back. Thanks for helping us to catch up a bit so we weren’t totally left in the dust. We can eventually give somethings back to civilisations when we aren’t superceded by our own reputations.

Joao June 14, 2019 8:51 AM

SQRL will be nice for everyone else that doesn’t have FIDO U2F/ FIDO2 hardware devices, because it will be available in most used OS’s.

SQRL is already released to Microsoft Windows with a Stable released… and has been working fine for years.
The SQRL specs seem to being finalized in just making them available in a single document.

I hope that once clear technical information is made available in one document programmers can start developing for most Content Management Systems (CMS’s) and other important online systems so that we can end the password mess.

One big improvement over FIDO U2F/ FIDO2 is that SQRL includes in protocol the possibility for providers to provide confirmation messages to the user to digitally signed them to proof they are them. For example banks can request the user to confirm using SQRL “Do you want to transfer $30.000.00 to IBAN: 8241.4414.124124.1241?” (YES) (NO); or some online store may ask “Do you want to transfer your credit of $120.00 to user: John Wick (account: 287483829583)” (Yes, authorize) (No).

The phishing is a problem with SQRL unless the SQRL app is in the same machine or if the program (ex.: browser) can communicate with the external device the true URL and the one the web site/ service is requesting authorization to.

Jeff Brixhamite November 28, 2019 6:46 AM

Currently the major issue is lack of support beyond the normal social media sites. In time I am sure more sites will support hardware keys but for now support is still limited.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.