Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Google Security Hardware

Google Plans Upgrade of Two-Factor Authentication For Politicians and CEOs (theverge.com) 92

An anonymous reader quotes the Verge: Google plans on upgrading its two-factor authentication tool with an improved, physical security measure aimed at protecting high-profile users from politically motivated cyberattacks, according to a report from Bloomberg. The new service, to be called Advanced Protection Program and potentially slated to launch next month, will trade out the standard authentication process for services like Gmail and Google Drive with physical USB security keys. The service would also restrict the types of third-party apps and services that could connect to a user's Google account.

The changes are not likely to affect standard Google account owners, as Bloomberg reports that Google "plans to market the product to corporate executives, politicians and others with heightened security concerns."

This discussion has been archived. No new comments can be posted.

Google Plans Upgrade of Two-Factor Authentication For Politicians and CEOs

Comments Filter:
  • We're not worthy (Score:5, Insightful)

    by dcollins117 ( 1267462 ) on Sunday October 01, 2017 @04:41PM (#55289071)
    Ok Google, I get it. Us plebs don't deserve good security.
    • Ok Google, I get it. Us plebs don't deserve good security.

      Well, certainly no other account in a company would be worth securing, right? I mean what access would those piss-ant IT SysAdmins have? I mean, it's not like they control the entire server farm...

      • Ok Google, I get it. Us plebs don't deserve good security.

        Well, certainly no other account in a company would be worth securing, right? I mean what access would those piss-ant IT SysAdmins have? I mean, it's not like they control the entire server farm...

        Is your sysadmin controlling the server farm with their Gmail login? I think you might want a new sysadmin.

        Google accounts don't contain technically sensitive information, they contain personally and organizationally sensitive information. The risk is the attacker can compromise an account belonging to someone important (ie, Clinton's campaign manager) and obtains a bunch of sensitive information. Your sysadmin shouldn't have that kind of info in their account.

        Now there's an impersonation risk, but unusual

        • (ie, Clinton's campaign manager)

          Also Trump WH staff [nypost.com], former Chief of Staff [cnbc.com]; six in total [cnn.com], so far.

          Everything's a goddamn political discussion on Slashdot these days, eh?

          • by rtb61 ( 674572 )

            Why would not politics exist on slashdot, nerds and geeks have political issues just like regular folk and you know what, they can use technology to get their ideas across as well as obtain political change.

            How about a third factor authentication, you know the one where end users get to authenticate that it is real political bullshit, coming from real bullshit politicians, those corporate lies that CEO tells to rip us off democratically, so you know, WE CAN BLOCK THEM, automatically. All paid political mes

        • Yes, but accounting is a pretty high risk with a direct attack.

          (IT would be an indirect attack.)

    • In addition, they act like the politicos are even bright enough to use this!

      I suspect the restriction is only because many of us would actually be able to successfully use it.

      • Well, maybe that's the idea behind it: A two factor auth that even CEOs and politicians can't fuck up.

        Actually, I'm really curious now, so far my attempts have been thwarted. Every time I come up with a foolproof system, the board comes up with a more foolish CEO.

        • Security keys can't be duplicated. They're made with military-grade hardware that costs like $5 and resists fault injections and physical assault, so retrieving the key is impossible with current technology.

          I recommended the same thing for identity theft [facebook.com] (YouTube [youtube.com]). That involves legislation allowing regulation which drives the current consumer-grade (i.e. affordable) technology into requirement without requiring an act of Congress every time the current technology becomes obsolete and vulnerable.

      • In addition, they act like the politicos are even bright enough to use this!

        Have you ever talked privately with a politician? They tend to be very intelligent and inquisitive, and likely wouldn't be where they are if they weren't. They just act stupid in public so people will vote for them. If they come across as a smarty-pants know-it-all, they will lose. Example: Hillary.

        Anyway, this does not require politicians to be smart. They just need to have a smart staffer set it up for them.

    • Re:We're not worthy (Score:5, Informative)

      by SlaveToTheGrind ( 546262 ) on Sunday October 01, 2017 @05:20PM (#55289231)

      Well, the USB key has been available for well over two years now -- for less than $20 [amazon.com].

      And what makes you think you wouldn't be able to buy the rest of the new security package if you wanted to (a) pay the going rate, just like above, and (b) live with the restrictions re third-party app access? TFA (which is basically somewhat educated rumor-mongering anyway) simply says it would be marketed to high-profile users, not that it would be restricted to them.

      • by AmiMoJo ( 196126 )

        I wish they made a USB key with an emergency suicide feature. Even just a button which if pressed five times rapidly erased the keys.

        Physical security is an increasing problem, especially at borders.

      • I wish Google will give me the option of disabling text messaging as a second factor for authentication.

    • If you have "heightened security concerns," what on earth are you doing using a public webmail product?

      • by sl149q ( 1537343 )

        I suspect Gmail (corporate version) is more secure than what most organizations can implement and support.

        The only problem with hardware 2-factor is how to incorporate it into mobile. Is the phone itself a sufficient token (if coupled with something like TouchID to verify the user?)

        The Fido hardware keys are a simple way to secure desktop access.

        • by skegg ( 666571 )

          Some tokens have NFC. I presume this allows the user to tap the token against the phone when logging-into the app, thus providing another, secure factor.

        • The only problem with hardware 2-factor is how to incorporate it into mobile.

          NFC-enabled tokens. This is what Google uses internally (which I suspect is the same thing they're marketing to celebs and execs): Device has an authentication key, plus password, plus USB/NFC token. Three-factor auth.

          • NFC-enabled tokens. This is what Google uses internally

            Although the politicians / CEO's are Google's target today, eventually a company will make a tier for the rest of us... including non-technical "normies" using cheap phones ($50 - $150)...
            In my experience, while tech people almost exclusively splurge on feature-rich flagship phones where NFC is a given, cheap phones are common for normies.

            I did a lot of research to replace my dying phone last week. Cheap (and not so cheap) phones don't cover the 5Ghz Wifi band yet. Cheap phones don't have DLNA. They don't h

            • If you can't afford a more expensive phone, I think you're better off getting a 2-3 year old high end phone. They can usually be purchased at or slightly above the upper end of the range you quote. Those cheap phones are typically running ancient software, completely unsupported, as well as the other limitations you mention.
        • by AmiMoJo ( 196126 )

          Most phones have NFC which can be used with a suitable token that also has USB for desktop use. Many phones have USB-C as well now, which you could plug the token in to.

        • USB-c FIDO keys.
        • I have the corporate version. It's the same as the free version but you have a domain and can add and remove your own accounts.

          Authentication factors: What you know, what you have, what you are.

          What you know: a password
          What you have: a cell phone
          What you are: a fingerprint

          Two elements from "what you know" is only single factor authentication. For two factor authentication, you need elements from two categories.

          So, your password and your high school mascot is only single-factor authentication because both ar

      • I couldn't agree more. These people shouldn't be using Google services if they need enhanced security.

        I'd say that just using Windows is a security risk.

    • Think again. We're talking about trusting Google with guarding your secrets.

      An apt comparison would be to not have medical attention from medieval doctors that treat you with bloodletting and enemas while consulting the stars to find the right cure instead of the pleb's answer to a cold, i.e. herbal tea and bedrest.

    • by Anonymous Coward

      > ... Ok Google, I get it. Us plebs don't deserve good security ...

      Google has become an Animal Farm

      They now practice the "All animals are equal but some animals are more equal than others " doctrine

    • by jopsen ( 885607 )
      U2F is supported by Google and Chrome... Seriously, just get an yubikey... This is probably just Google doing the social work of forcing high-profile accounts to use U2F...
  • Who knows what is on it, but I'll plug it in to my computer anyway!

    . . . but Google would never be lackeys, henchmen and hoodlums for the US government . . . and plant NSA spyware on the sticks . . .

    . . . would they . . . ?

  • by mhkohne ( 3854 ) on Sunday October 01, 2017 @04:48PM (#55289097) Homepage

    I'd love to know what Google is actually changing, but the article doesn't really say - I've been using a physical security key for my google account logins for a while now. Though the 'limiting apps that can connect' is certainly a good thing, I can't figure out what they are actually changing otherwise.

    Does this involve being able to force accounts to use a security key? What's really going on here?

  • by geekmux ( 1040042 ) on Sunday October 01, 2017 @04:50PM (#55289113)

    Because they will spend the money on USB keys and then not bother with creating some form of identity validation policy, cue the "I lost my USB key, can you give me a temporary password?" phone hack in 3...2...

    Social Engineering. Because hacking ignorance, is timeless.

    • And better nobody thinks that "company policy dictates that I must not" is an answer that CEO is going to accept. This is basically why the CEO fraud is so successful: CEOs with delusions of grandeur and a short temper, with underlings too scared to not jump when someone yells at them through the phone because they're used to it.

    • by sl149q ( 1537343 )

      For corporate gmail, the "can you give me a new password" request goes to the administrator of your corporate gmail. It does not go to Google.

      That raises the bar slightly. First the hackers have to know who that is. Second they have to determine what the practices and procedures for making the request are for your organization and third what a possible way to subvert them are. Should be different for all organizations.

      • For corporate gmail, the "can you give me a new password" request goes to the administrator of your corporate gmail. It does not go to Google.

        That raises the bar slightly. First the hackers have to know who that is. Second they have to determine what the practices and procedures for making the request are for your organization and third what a possible way to subvert them are...

        *hacker gleans CxO names and titles from the corporate website, along with major customers from PR postings*

        "Yes, Hi. My name is Mr. Smith. I just started last week and lost my token. Mr. [name-drop CEO] stated it was urgent that I contact someone to get access immediately because we have [name-drop customer] waiting on a million-dollar order!"

        Yeah, the bar was raised alright. By an inch.

        ...Should be different for all organizations.

        When it comes to social engineering, little has changed.

  • FIDO U2F keys? (Score:3, Informative)

    by Anonymous Coward on Sunday October 01, 2017 @04:59PM (#55289151)

    Google already supports FIDO U2F keys, such as yubikey, that you can use instead of their google 2FA app.

    How is this news?

    • Something I've always wondered, what happens if you lose your Yubikey or its electronics stuffs up? How do you reestablish your identity?

      Are we back to security questions like "what's your mother's maiden name?"

      • by sl149q ( 1537343 )

        Through your back up email account. Or (currently) if enabled, a text to your back up phone.

      • Something I've always wondered, what happens if you lose your Yubikey or its electronics stuffs up? How do you reestablish your identity?

        Are we back to security questions like "what's your mother's maiden name?"

        Godel,

        Same as with your house key or car key. You just setup another U2F/yubikey key and use that to recover/access your account, then disable the lost/damaged/stolen key.

  • by Anonymous Coward

    No small wonder Google nonchalantly deactivated Y2F key support for Android recently....

  • when I read this I thought they meant they had dumbed it down to make it easier to use than typing in a password or rubbing your finger over a fingerprint scanner because these has all proven to be overly difficult for CEOs and polititicians.
  • I thought politicians were supposed to use only their government email address.

  • Oh, a man can dream, a man can dream.

  • by HermMunster ( 972336 ) on Sunday October 01, 2017 @06:33PM (#55289471)

    Those two groups are least likely to use it.

    It isn't a good testbed.

    It implies everyone else is less important.

    It won't change hacker's mentality toward hacking.

    CEOs shouldn't be using Gmail.

    • by Archon ( 13753 )

      "CEOs shouldn't be using Gmail."

      I set my clients up on G Suite products all the time, Gmail especially. Including CEOs. If the password is strong and unique I don't see the issue, better yet if using 2FA. Or are you suggesting Google is exfiltrating email user data in a way that exposes company secrets?

  • by markdavis ( 642305 ) on Sunday October 01, 2017 @06:43PM (#55289521)

    So with the increased security, that helps to protect from people trying to hack into Google. But who protects us from Google? They already have too much information and now they insist on having even more:

    Google just pushed out an update last week, so apparently unless I turn on tracking and logging of everything I do (location, web history, etc), I can't use my Wear watch to search for ANYTHING anymore. Really?

    The watch was great when I first bought it. Then they updated and ruined the search ability. Instead of being a nice, fast, Google web-like search engine, it became some stupid Google Now-like thing that doesn't ever give me what I want and no choices. Several months later it is "upgraded" to "Google Assistant" which REQUIRES I turn on all this tracking and storage. Almost nothing I want to search for requires a "history" of what I have done in the past.

  • ...now you know who is important to Google. And it is not virtually everyone reading this forum. Both politicians reading this will be encouraged that they are in the clear.

Avoid strange women and temporary variables.

Working...