Google Plans Upgrade of Two-Factor Authentication For Politicians and CEOs (theverge.com) 92
An anonymous reader quotes the Verge:
Google plans on upgrading its two-factor authentication tool with an improved, physical security measure aimed at protecting high-profile users from politically motivated cyberattacks, according to a report from Bloomberg. The new service, to be called Advanced Protection Program and potentially slated to launch next month, will trade out the standard authentication process for services like Gmail and Google Drive with physical USB security keys. The service would also restrict the types of third-party apps and services that could connect to a user's Google account.
The changes are not likely to affect standard Google account owners, as Bloomberg reports that Google "plans to market the product to corporate executives, politicians and others with heightened security concerns."
The changes are not likely to affect standard Google account owners, as Bloomberg reports that Google "plans to market the product to corporate executives, politicians and others with heightened security concerns."
We're not worthy (Score:5, Insightful)
Re: (Score:3)
Ok Google, I get it. Us plebs don't deserve good security.
Well, certainly no other account in a company would be worth securing, right? I mean what access would those piss-ant IT SysAdmins have? I mean, it's not like they control the entire server farm...
Re: (Score:2)
Ok Google, I get it. Us plebs don't deserve good security.
Well, certainly no other account in a company would be worth securing, right? I mean what access would those piss-ant IT SysAdmins have? I mean, it's not like they control the entire server farm...
Is your sysadmin controlling the server farm with their Gmail login? I think you might want a new sysadmin.
Google accounts don't contain technically sensitive information, they contain personally and organizationally sensitive information. The risk is the attacker can compromise an account belonging to someone important (ie, Clinton's campaign manager) and obtains a bunch of sensitive information. Your sysadmin shouldn't have that kind of info in their account.
Now there's an impersonation risk, but unusual
Re: (Score:2)
Also Trump WH staff [nypost.com], former Chief of Staff [cnbc.com]; six in total [cnn.com], so far.
Everything's a goddamn political discussion on Slashdot these days, eh?
Re: (Score:2, Informative)
do you think they'd be doing this if it was Trump's Campaign Manager that got hacked, and Clinton had won the election? Would that story even spend any time in the media if that was the case?
Google is addressing problems with their service. I think they would have done so if it was Trump as well. I'm not convinced any of it is partisan on their part. The better authentication is probably something they will sell to others if there is enough demand. Personally if you want security I seriously suggest you use a separate program to encrypt your emails before handing them over to google. That way, even if they are vacuumed you have another layer of encryption such that only the sender and the
Re: (Score:2)
Why would not politics exist on slashdot, nerds and geeks have political issues just like regular folk and you know what, they can use technology to get their ideas across as well as obtain political change.
How about a third factor authentication, you know the one where end users get to authenticate that it is real political bullshit, coming from real bullshit politicians, those corporate lies that CEO tells to rip us off democratically, so you know, WE CAN BLOCK THEM, automatically. All paid political mes
Re: (Score:2)
Yes, but accounting is a pretty high risk with a direct attack.
(IT would be an indirect attack.)
Re: (Score:2)
In addition, they act like the politicos are even bright enough to use this!
I suspect the restriction is only because many of us would actually be able to successfully use it.
Re: (Score:3)
Well, maybe that's the idea behind it: A two factor auth that even CEOs and politicians can't fuck up.
Actually, I'm really curious now, so far my attempts have been thwarted. Every time I come up with a foolproof system, the board comes up with a more foolish CEO.
Re: (Score:2)
Security keys can't be duplicated. They're made with military-grade hardware that costs like $5 and resists fault injections and physical assault, so retrieving the key is impossible with current technology.
I recommended the same thing for identity theft [facebook.com] (YouTube [youtube.com]). That involves legislation allowing regulation which drives the current consumer-grade (i.e. affordable) technology into requirement without requiring an act of Congress every time the current technology becomes obsolete and vulnerable.
Re: (Score:1)
In addition, they act like the politicos are even bright enough to use this!
Have you ever talked privately with a politician? They tend to be very intelligent and inquisitive, and likely wouldn't be where they are if they weren't. They just act stupid in public so people will vote for them. If they come across as a smarty-pants know-it-all, they will lose. Example: Hillary.
Anyway, this does not require politicians to be smart. They just need to have a smart staffer set it up for them.
Re:We're not worthy (Score:5, Informative)
Well, the USB key has been available for well over two years now -- for less than $20 [amazon.com].
And what makes you think you wouldn't be able to buy the rest of the new security package if you wanted to (a) pay the going rate, just like above, and (b) live with the restrictions re third-party app access? TFA (which is basically somewhat educated rumor-mongering anyway) simply says it would be marketed to high-profile users, not that it would be restricted to them.
Re: (Score:2)
I wish they made a USB key with an emergency suicide feature. Even just a button which if pressed five times rapidly erased the keys.
Physical security is an increasing problem, especially at borders.
Re: (Score:2)
I wish Google will give me the option of disabling text messaging as a second factor for authentication.
Really? (Score:2)
If you have "heightened security concerns," what on earth are you doing using a public webmail product?
Re: (Score:3)
I suspect Gmail (corporate version) is more secure than what most organizations can implement and support.
The only problem with hardware 2-factor is how to incorporate it into mobile. Is the phone itself a sufficient token (if coupled with something like TouchID to verify the user?)
The Fido hardware keys are a simple way to secure desktop access.
Re: (Score:2)
Some tokens have NFC. I presume this allows the user to tap the token against the phone when logging-into the app, thus providing another, secure factor.
Re: (Score:2)
The only problem with hardware 2-factor is how to incorporate it into mobile.
NFC-enabled tokens. This is what Google uses internally (which I suspect is the same thing they're marketing to celebs and execs): Device has an authentication key, plus password, plus USB/NFC token. Three-factor auth.
Re: (Score:2)
NFC-enabled tokens. This is what Google uses internally
Although the politicians / CEO's are Google's target today, eventually a company will make a tier for the rest of us... including non-technical "normies" using cheap phones ($50 - $150)...
In my experience, while tech people almost exclusively splurge on feature-rich flagship phones where NFC is a given, cheap phones are common for normies.
I did a lot of research to replace my dying phone last week. Cheap (and not so cheap) phones don't cover the 5Ghz Wifi band yet. Cheap phones don't have DLNA. They don't h
Re: (Score:2)
Re: (Score:2)
Most phones have NFC which can be used with a suitable token that also has USB for desktop use. Many phones have USB-C as well now, which you could plug the token in to.
Re: (Score:2)
Re: (Score:2)
I have the corporate version. It's the same as the free version but you have a domain and can add and remove your own accounts.
Authentication factors: What you know, what you have, what you are.
What you know: a password
What you have: a cell phone
What you are: a fingerprint
Two elements from "what you know" is only single factor authentication. For two factor authentication, you need elements from two categories.
So, your password and your high school mascot is only single-factor authentication because both ar
Re: (Score:2)
I couldn't agree more. These people shouldn't be using Google services if they need enhanced security.
I'd say that just using Windows is a security risk.
Re: (Score:2)
Think again. We're talking about trusting Google with guarding your secrets.
An apt comparison would be to not have medical attention from medieval doctors that treat you with bloodletting and enemas while consulting the stars to find the right cure instead of the pleb's answer to a cold, i.e. herbal tea and bedrest.
Animal Farm (Score:1)
> ... Ok Google, I get it. Us plebs don't deserve good security ...
Google has become an Animal Farm
They now practice the "All animals are equal but some animals are more equal than others " doctrine
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
As you hide under the Cloak of A.C. ...
Re: (Score:1)
Says a person who doesn’t give away their real name and could have multiple sockpuppet accounts. So brave you are.
Re: (Score:2)
How is this left/right? Jared has already been caught along with a number of other trump people using private email. Get over it. But I totally agree with one of the prior comments. Thanks google for reminding us that once again the rich/political class is special.
Re: (Score:3)
As if the US has any leftist politicians.
Re: (Score:2)
As if the US has any leftist politicians.
Bernard?
Re: (Score:2)
Is there anything but?
That USB stick that I found in the parking lot! (Score:2, Insightful)
Who knows what is on it, but I'll plug it in to my computer anyway!
. . . but Google would never be lackeys, henchmen and hoodlums for the US government . . . and plant NSA spyware on the sticks . . .
. . . would they . . . ?
Re: (Score:2)
I tried that stick on my Linux deskop and nothing happened. Why? Inquiring minds want to know.
Re: (Score:2)
I tried that stick on my Linux deskop and nothing happened.
The year 2007 was the year of "Linux on the Desktop". Sorry, you're a bit late.
Another brilliantly useless article (Score:3)
I'd love to know what Google is actually changing, but the article doesn't really say - I've been using a physical security key for my google account logins for a while now. Though the 'limiting apps that can connect' is certainly a good thing, I can't figure out what they are actually changing otherwise.
Does this involve being able to force accounts to use a security key? What's really going on here?
I lost my...[hacked] (Score:3)
Because they will spend the money on USB keys and then not bother with creating some form of identity validation policy, cue the "I lost my USB key, can you give me a temporary password?" phone hack in 3...2...
Social Engineering. Because hacking ignorance, is timeless.
Re: (Score:3)
And better nobody thinks that "company policy dictates that I must not" is an answer that CEO is going to accept. This is basically why the CEO fraud is so successful: CEOs with delusions of grandeur and a short temper, with underlings too scared to not jump when someone yells at them through the phone because they're used to it.
Re: (Score:3)
For corporate gmail, the "can you give me a new password" request goes to the administrator of your corporate gmail. It does not go to Google.
That raises the bar slightly. First the hackers have to know who that is. Second they have to determine what the practices and procedures for making the request are for your organization and third what a possible way to subvert them are. Should be different for all organizations.
Re: (Score:2)
For corporate gmail, the "can you give me a new password" request goes to the administrator of your corporate gmail. It does not go to Google.
That raises the bar slightly. First the hackers have to know who that is. Second they have to determine what the practices and procedures for making the request are for your organization and third what a possible way to subvert them are...
*hacker gleans CxO names and titles from the corporate website, along with major customers from PR postings*
"Yes, Hi. My name is Mr. Smith. I just started last week and lost my token. Mr. [name-drop CEO] stated it was urgent that I contact someone to get access immediately because we have [name-drop customer] waiting on a million-dollar order!"
Yeah, the bar was raised alright. By an inch.
...Should be different for all organizations.
When it comes to social engineering, little has changed.
FIDO U2F keys? (Score:3, Informative)
Google already supports FIDO U2F keys, such as yubikey, that you can use instead of their google 2FA app.
How is this news?
Re: (Score:2)
Something I've always wondered, what happens if you lose your Yubikey or its electronics stuffs up? How do you reestablish your identity?
Are we back to security questions like "what's your mother's maiden name?"
Re: (Score:2)
Through your back up email account. Or (currently) if enabled, a text to your back up phone.
Re: (Score:2)
Something I've always wondered, what happens if you lose your Yubikey or its electronics stuffs up? How do you reestablish your identity?
Are we back to security questions like "what's your mother's maiden name?"
Godel,
Same as with your house key or car key. You just setup another U2F/yubikey key and use that to recover/access your account, then disable the lost/damaged/stolen key.
This explains recent Y2F Android failure (Score:1)
No small wonder Google nonchalantly deactivated Y2F key support for Android recently....
too hard (Score:2)
But (Score:2)
I thought politicians were supposed to use only their government email address.
Re: (Score:2)
Nah, they run their own mail servers for the official stuff.
Can we make the politicians authentic too? (Score:2)
Oh, a man can dream, a man can dream.
Least likely to use it (Score:3)
Those two groups are least likely to use it.
It isn't a good testbed.
It implies everyone else is less important.
It won't change hacker's mentality toward hacking.
CEOs shouldn't be using Gmail.
Re: (Score:1)
"CEOs shouldn't be using Gmail."
I set my clients up on G Suite products all the time, Gmail especially. Including CEOs. If the password is strong and unique I don't see the issue, better yet if using 2FA. Or are you suggesting Google is exfiltrating email user data in a way that exposes company secrets?
Protect from whom? (Score:3)
So with the increased security, that helps to protect from people trying to hack into Google. But who protects us from Google? They already have too much information and now they insist on having even more:
Google just pushed out an update last week, so apparently unless I turn on tracking and logging of everything I do (location, web history, etc), I can't use my Wear watch to search for ANYTHING anymore. Really?
The watch was great when I first bought it. Then they updated and ruined the search ability. Instead of being a nice, fast, Google web-like search engine, it became some stupid Google Now-like thing that doesn't ever give me what I want and no choices. Several months later it is "upgraded" to "Google Assistant" which REQUIRES I turn on all this tracking and storage. Almost nothing I want to search for requires a "history" of what I have done in the past.
I know this has already been explored, but... (Score:2)
...now you know who is important to Google. And it is not virtually everyone reading this forum. Both politicians reading this will be encouraged that they are in the clear.