None of Google's 85,000 Employees Have Been Phished in More Than a Year After Company Required Them to Use Physical Security Keys For 2FA (krebsonsecurity.com) 126
Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity. From the report: Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device). A Google spokesperson said Security Keys now form the basis of all account access at Google. "We have had no reported or confirmed account takeovers since implementing security keys at Google," the spokesperson said. "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time." The basic idea behind two-factor authentication is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor.
Wow a whole year (Score:4, Insightful)
If Google's getting kudos after a year, I want a goddamned payout.
Re: (Score:2)
I've never fallen for a phishing email with or without 2fa. If Google's getting kudos after a year, I want a goddamned payout.
Cause that's the same thing as a company with 85,000 employees.
Google controls the employees, the environment they operate in, and the servers they connect to. Given that level of control, if their IT can't prevent phishing then they're pretty incompetent.
Even Mythbusters [youtube.com] have shown how easy this can be.
Re:Wow a whole year (Score:4, Insightful)
My wife has never fallen for a phishing email either; she uses two factors. One, she got an email she doesn't understand. Two, she asks me to deal with it.
Here is the thing, here is why this is huge news for nerds: Google never had to call me and ask. They didn't need to hire 85,000 nerds to protect 85,000 other employees. Their non-nerd employees were able to avoid phishing attacks with this system, on their own.
And you can have whatever payout you want; I say reward yourself and take yourself outside for an activity.
Re: (Score:3)
But why does the key work better than authenticating with a mobile phone?
Both are "something you have" so what's the difference? Of course the phone is "something you already have" while the key is "something you have to buy".
Re: Wow a whole year (Score:1)
Because a scammer can call you and pretend to be tech support and say hey we just sent you a code read it to me.... Bam hacked. With psk u2f token the challenge response is automatic and signed from the key they can't ask you to read something to them because there is nothing to read and no prompt to get the challenge response passed from the key and since the key is signed per url you can't even spoof a web page for them to go to unless you are able to modify googles internal DNS servers and I assume the
Re: (Score:2)
Because a scammer can call you and pretend to be tech support and say hey we just sent you a code read it to me.... Bam hacked.
That would only work for a very dumb implementation. You can authenticate with an app on your phone that receives a token, hashes it with both the code and a private key, and then sends it back. A scammer will need more than just the code. He will also need the phone.
Re: (Score:2)
Phones don't have some sort of protected hardware keyboard that can be connected to a particular data stream. Anything that the phone can send when you touch the screen, it can send when contacted by the author of an app you installed.
Also, anything that can have new apps installed by the user is not secure, and you can't promise that it does anything the way it is supposed to.
It isn't enough to have an implementation that would work in a perfect world. If the implementation runs on a phone, you have no ide
Re: (Score:2)
the key is signed per url
No. If they are using Yubikey (as in the picture next to the article), it's just a time- or counter based security token like those homebanking tokens that display a number when you press the key. Except that the Yubikey doesn't display it but emulates a keyboard, and "types" it in. If you're focused on a password field, you don't see the key. But if you're focused on an editor or a terminal you sure well can see it. The Yubikey is an input only device (only sends data to the computer) with no way of knowin
Re: (Score:2)
> bank I use has a device with a tiny camera
Great. My bank only has SMS based 2FA, with a checkbox on the screen labelled 'I forgot my device, log me in without it'. I kid you not. I've complained to their minimum wage offshore support people who can't find my words in their script so don't say anything.
Re: (Score:2)
>But why does the key work better than authenticating with a mobile phone?
Because it's trivial for someone to contact your phone provider, pretend they're you and have your phone number ported over to the hacker's device. This gives them SMS 2FA, call-back 2FA, etc.
Best to use a Yubikey and Yubico Authenticator for all 2FA websites that support Google Authenticator.
Re: (Score:2)
Because it's trivial for someone to contact your phone provider, pretend they're you and have your phone number ported over to the hacker's device.
The would only work for a very dumb implementation. Google could install a custom app on each employee's phone that had an unique private key. Instead of $20 each, it would cost $0, and would not require every employee to carry an extra dongle everywhere they go.
Re: (Score:2)
And you'd just let your employer install arbitrary software on your phone?
Re: (Score:2)
But how do they discover all the hardware backdoors on the platform to verify the security?
Just having permission to install stuff on your phone, or having complete control of your OS, that's not enough for them to know what code runs when they try to run their code on it.
Re: (Score:2)
When you use a key the browser hashes the domain of the site you are logging in to and sends it to the key. So right away phishing sites don't work. They can't trick users into entering their time dependent codes into the wrong site.
Then the key sends the time dependent code back to the browser. It's never displayed to the user, there is no way to trick the user into giving it to you over the phone etc.
Since it's not SMS based either there is no way to hijack a SIM card to get the code.
Re: (Score:2)
But why does the key work better than authenticating with a mobile phone?
Both are "something you have" so what's the difference? Of course the phone is "something you already have" while the key is "something you have to buy".
The phone is something you have only until the scammer convinces the phone company to transfer access to them. So technically, while you may or may not own the physical phone but do control it, you do not own or control the phone's identification; the phone company owns and controls that.
Re: (Score:2)
But why does the key work better than authenticating with a mobile phone?
Both are "something you have" so what's the difference? Of course the phone is "something you already have" while the key is "something you have to buy".
The phone is not "something you have," it is just a networked host that you believe yourself to control. It is not different than renting a VPS in a datacenter somewhere and running some software on it.
The dongle is something you have, because it isn't networked, and it isn't a general purpose computing device that could be doing something different than you expect.
Re:Wow a whole year (Score:5, Insightful)
Google has 85,000 employees. For a phishing attack to work, it has to work on the dumbest employee.
Since this implies that there were successful phishing attacks more than a year ago, congratulations on being better at security than the person in Google who gives the least shits.
Re: (Score:3)
Its also Google. They are more likely to be spearphished than anonymous cowards ;-)
So they get more of them and better ones.
Re: (Score:2)
Google has 85,000 employees. For a phishing attack to work, it has to work on the dumbest employee.
Since this implies that there were successful phishing attacks more than a year ago, congratulations on being better at security than the person in Google who gives the least shits.
You really are quite full of yourself. Just because somebody falls for a phishing attack that does not mean they are dumb. It just means that they don't know as much about computers and malware as you do.
Re: (Score:2)
It just means that they don't know as much about computers and malware as you do.
It also means they are impervious to learning. Google tries to educate all their employees about security. There is a word for people that are ignorant, and are unwilling or unable to learn: dumb.
There will always be dumb people, so the smart thing to do is to fix the system not the people.
Re: (Score:1)
I've never fallen for a phishing email with or without 2fa.
If Google's getting kudos after a year, I want a goddamned payout.
You think maybe a Google employee is a slightly higher value target than you? And 85000 is a greater number than 1?
Re: (Score:2)
My company conducted a penetration test, which began with the security company sending a phishing email to all employees. AT LEAST one person in EVERY department clicked the link, except software development. That was enough. They got in to multiple servers and were able to harvest some passwords from memory.
Not everyone is as "smart" as you are.
Braindead email/browser an IT (Score:2)
> AT LEAST one person in EVERY department clicked the link, except
> software development. That was enough. They got in to multiple
> servers and were able to harvest some passwords from memory.
If "clicking a link" results in bad guys getting into multiple servers, there needs to be mass firings in IT.
Re: (Score:2)
Clearly, you've never experienced a REAL penetration test. There is ALWAYS at least one door left open somewhere. Including your company.
Comment removed (Score:3, Funny)
Re: (Score:1)
I don't have mod points but I sure as hell got a fucking sense of humour and this in funny.
2FA finally (Score:5, Interesting)
And I went to Google Authenticator only after I figured out how to put the same code on multiple devices and assure myself that I had enough backup hard copies of keys that I would not likely get locked out permanently should I ever lose my phone, etc.
The U2F works great for corporate, etc. where you have a support team who can help you in case you lose it or forget anything. They can make you come in person and prove that you are you.
The problem with implementing this (without enough backups) for personal is that if you ever lose all of your key info or code generator, you are absolutely fucked because there is no way to prove who you are to Google and have them reset your password / security. So you've got to have multiple backups in different places should your house ever burn down, etc.
Re:2FA finally (Score:4, Interesting)
JWZ had a writeup about SMS, Google Auth and OTP
https://www.jwz.org/blog/2018/... [jwz.org]
Re:2FA finally (Score:5, Interesting)
JWZ had a writeup about SMS, Google Auth and OTP
https://www.jwz.org/blog/2018/... [jwz.org]
Using a TOTP solution like 1password or Google Authenticator is better than SMS, because unlike SMS it's very difficult to hijack. But it's still not as good as security keys (AKA FIDO U2F) as described in this article, because it can be phished. If you're certain that you could never, under any circumstances, be social-engineered into giving up your TOTP code then you're probably wrong about how gullible you are, because there are some really talented social engineers out there. But with U2F, you just can't do it.
Also, U2F is much more convenient. You have to buy a USB dongle (or three) and stick one in your USB port, but then when you have to authenticate all you have to do is touch it. So much more convenient than looking at a number and typing it in. I work for Google, and the various systems I use require me to authenticate about a dozen times every day -- but often the authentication required is U2F only (because I already authenticated recently with my password) so it's very low-effort. The same would not be true if TOTP were required.
Do keep in mind if you go U2F only, though, that losing or destroying your security key means you're locked out of your account and the only available recovery process will be intentionally tortuous and may fail. So use multiple security keys, and I'd suggest keeping a set of backup codes in a safe place that is also quite inconvenient for you to access (making it hard for anyone to social engineer you into giving them a code).
Re: (Score:2)
I think that for most people, the combination of relative usability and risk leads to the choice of using TOTP on your phone, not the extent of a hardware dongle / key.
For some service where you have no other way to prove yourself, losing the hardware is just too risky. For me at least.
Re:2FA finally (Score:4, Informative)
I think that for most people, the combination of relative usability and risk leads to the choice of using TOTP on your phone, not the extent of a hardware dongle / key.
I disagree. I think the security key is the most usable solution, especially if you get the nano-sized keys that fit almost entirely into the USB port so you can just leave them plugged in all the time. This does mean that if you lose your laptop you lose the security key as well, but (a) you can revoke the key, (b) the most important risks are from remote attackers and (c) if a sophisticated attacker gets your laptop you're probably SoL anyway.
The only real argument against U2F, IMO, is cost. You have to buy the security keys.
For some service where you have no other way to prove yourself, losing the hardware is just too risky. For me at least.
That problem is orthogonal to the question of what type of 2FA to use. If you only use TOTP on your phone, then losing your phone (or dropping it in the toilet, etc.) leaves you without a way to recover. With Google's services, you can use U2F *and* TOTP *and* SMS *and* backup codes if you want. Of course, the more you use the more opportunities you give an attacker, so there's a tradeoff.
IMO, the best solution is a nano U2F security key which you leave in a USB port of each computer you use, plus another (larger) U2F security key on your key ring and one more stored in a safe place, along with a printed list of backup codes. This is not the cheapest solution, however, since if you have a laptop and a desktop it means you need four U2F keys.
Re: (Score:2)
I disagree. I think the security key is the most usable solution, especially if you get the nano-sized keys that fit almost entirely into the USB port so you can just leave them plugged in all the time. This does mean that if you lose your laptop you lose the security key as well, but (a) you can revoke the key, (b) the most important risks are from remote attackers and (c) if a sophisticated attacker gets your laptop you're probably SoL anyway.
In other words client certificates are sufficient and always plugged in hardware tokens unnecessary.
The only real argument against U2F, IMO, is cost. You have to buy the security keys.
Or being stupid enough to allow let alone require use of USB ports in the first place.
Re: (Score:2)
I disagree. I think the security key is the most usable solution, especially if you get the nano-sized keys that fit almost entirely into the USB port so you can just leave them plugged in all the time. This does mean that if you lose your laptop you lose the security key as well, but (a) you can revoke the key, (b) the most important risks are from remote attackers and (c) if a sophisticated attacker gets your laptop you're probably SoL anyway.
In other words client certificates are sufficient and always plugged in hardware tokens unnecessary.
Absolutely not. There are crucial differences between U2F security keys and client side certs:
1. U2F keys only sign an auth request when touched. This means that purely remote attacks can't work; the attacker has to arrange for the user to prove that they're physically present.
2. U2F keys do not allow a remote attacker to obtain a copy of the private key material. At most the attacker can convince the user to touch the key to activate each authentication operation. With client side certificates, if t
Re: (Score:2)
Absolutely not. There are crucial differences between U2F security keys and client side certs:
Comments were about practical differences not physical differences.
All physical differences cited vanish when client certs are stored in TPM.
1. U2F keys only sign an auth request when touched. This means that purely remote attacks can't work; the attacker has to arrange for the user to prove that they're physically present.
Anyone can set a client certs to prompt prior to use.
Attackers probably have many sheep to attend to. Waiting for you to press a button before they can hijack your session is probably not top of mind / significant hurdle.
2. U2F keys do not allow a remote attacker to obtain a copy of the private key material. At most the attacker can convince the user to touch the key to activate each authentication operation. With client side certificates, if the attacker can remotely exploit the machine, he can steal a copy of the private key material and have unlimited use of it and most likely the user will have no idea.
You seem to have made a fairly rational case for this being mostly irrelevant in practice when YOU stated the following: "(a) you can revoke the key,
Re: (Score:2)
Re: (Score:2)
Certs can be copied to another machine. USB dongles cannot. DoesnÃ(TM)t that make a huge difference and invalidate your argument?
Not if you take steps to avoid it.
This is similar to taking steps from avoiding keys distributed to USB dongles from being duplicated during the process.
Re: (Score:2)
The only thing I worry about with U2F is that no one seems to make a key with an emergency erase feature.
Re: (Score:2)
The only thing I worry about with U2F is that no one seems to make a key with an emergency erase feature.
All U2F security keys I've used can be erased... you just delete the U2F applet. But in an emergency I think it's more likely that what you need to do is to remove trust on the server side.
What threat are you trying to address?
Re: (Score:2)
Someone tries to take your key away. You fear it may be confiscated. You need to pass through some security without having the opportunity to erase it first.
I've been thinking about building something like this for a while. All it would need is a small battery to give it enough energy to do the secure erase when a button is held for several seconds.
Re: (Score:2)
Re: (Score:2)
True, it's still only 1 of 2 factors. I want one with HID keyboard mode too, so I can use it to enter a really long password (with my own password prefixed of course) for stuff that doesn't support proper 2FA.
2FA finally-smart-cards. (Score:1)
Doesn't sound much different that what people use to do with Sun-rays and the smart-card one used with them. Heck mine doubled as key-card for getting into certain sections of the building.
Re: (Score:2)
JWZ had a writeup about SMS, Google Auth and OTP
https://www.jwz.org/blog/2018/... [jwz.org]
Using a TOTP solution like 1password or Google Authenticator is better than SMS, because unlike SMS it's very difficult to hijack.
You see the problem is... I need 2FA (Two Factor Authentication) for a variety of things, several banks, work, access to some government services. Most people do. SMS is available to everyone and universally accepted, not to mention cheap. I dont want to have to have a dongle for every single different bank nor can I believe that all these different services are going to get behind a single 2FA token (definitely not without some govt intervention and whilst I'm not one to go on wild anti-govt conspiracy the
Re: (Score:2)
You see the problem is... I need 2FA (Two Factor Authentication) for a variety of things, several banks, work, access to some government services. Most people do. SMS is available to everyone and universally accepted, not to mention cheap.
And insecure. You argue that it could be made more secure, but I don't see any sign that that is going to happen.
I dont want to have to have a dongle for every single different bank nor can I believe that all these different services are going to get behind a single 2FA token
You may not believe it, but it's happening. So far, I use my FIDO U2F keys for logging into email (work and personal; though both are gmail), Github, Dropbox, Twitter, my Vanguard 401K account, my health savings account, and my health insurance account. There are still a lot of institutions that haven't yet adopted U2F, but it is the standard and obvious next step beyond SMS, so as organizations
Re: (Score:2)
> U2F is much more convenient
Not if you have an iPhone. It doesn't work on an iPhone so you can't access any of your accounts from the phone.
Re: (Score:2)
> U2F is much more convenient
Not if you have an iPhone. It doesn't work on an iPhone so you can't access any of your accounts from the phone.
Works great on Android :-)
(Though you have to get an NFC-enabled U2F key. Also, Android devices with appropriate security hardware implement the new FIDO standard, so in many cases the phone itself can act as the U2F key.)
Re: (Score:2)
Yes, the 3-2-1 backup strategy. Keep 3 copies on 2 different storage types with 1 of those copies offsite.
It's really, really nice knowing that nobody can hack into my e-mail even if they somehow managed to obtain the password. I just wish Amazon and my bank supported U2F.
Best backup solution... (Score:4, Funny)
The problem with implementing this (without enough backups) for personal is that if you ever lose all of your key info or code generator, you are absolutely fucked because there is no way to prove who you are to Google and have them reset your password / security. So you've got to have multiple backups in different places should your house ever burn down, etc.
QC tattoos make a great long-term backup solution. Preferably under hair -- on a pet.
Re:2FA finally (Score:4, Informative)
The problem with implementing this (without enough backups) for personal is that if you ever lose all of your key info or code generator, you are absolutely fucked because there is no way to prove who you are to Google and have them reset your password / security. So you've got to have multiple backups in different places should your house ever burn down, etc.
You can use multiple U2Fs, and store one (or more) offsite. I'd recommend a set of backup codes offsite as well, where you won't be tempted to use them (to make phishing you harder), but where you can get them if needed.
Re: (Score:3)
The problem with implementing this (without enough backups) for personal is that if you ever lose all of your key info or code generator, you are absolutely fucked
They just really need to come up with a coherent standard and get everyone onboard. Because SMS kind of made sense, until you find out that SMS is totally insecure. Then Google Authenticator (and similar OTP) comes out, which... really isn't half as good as people make it out to be. It's really just a second password, but stored and transmitted in a different way. That is, as far as I understand, the difference is that instead of sending the password over the internet and then storing a hash on the webs
Re: (Score:2)
It resolves your issues.
Re:2FA finally (Score:4, Informative)
Actually you can have backups.
When you enable 2FA, you'll get 10 backup codes which you can print and store offline (in a safe place).
You can also associate more than once device for 2FA. I actually have 4 active devices on my account. (One on the keychain, another on my badge, 2 backups at home).
Even if you were to lose all of them, it would still be possible to recover your account, however would of course require some effort.
Re: (Score:2)
I have TOPT (Google Authenticator, Authy, Auth+ etc) on my phone and on an old iPod Touch I wasn't using anymore. If I lose my phone I'm not locked out of my accounts.
Google's 2FA defaults are annoying (Score:4, Interesting)
Every time I log into a new box, the checkbox to remember this computer (and thus bypass 2FA in future) is pre-checked when inserting my hardware token.
Yes, signing into a machine means that to a certain degree I believe it's not already compromised. However, if I was wrong, and it was compromised, at least the hardware token should prevent password replays after 20 seconds had elapsed. Not with Google's defaults though! AFAIK there isn't even an option to change the default to unchecked if I wanted to.
Yubico was talking about this during a Linux talk (Score:4, Interesting)
Earlier this summer, Yubico mentioned this as part of a conference. For something as large as Google, this is pretty notable.
The biggest advantage the Yubikeys give is the proof there is some type of living being at the machine, via the button press. Of course, this doesn't mean 100% security in the future, but it means that an attack has to be done and queued up when someone is using the machine.
Yubico was talking about this-BT (Score:1)
Unfortunately their mobile version only works on NFC phones. No Bluetooth version for cheaper phones.
Lemme get this straight ... (Score:2)
... Manning walks past security with a Lady Gaga CD and inserts that into a computer and walks out with the good stuff.
Now we have a shit load of people pulling out USB sticks ...
Re: (Score:2)
Re: (Score:2)
that a company so legendary for its recruitment practices, would let people who would fall for phishing scams join in the first place. Time to reapply!
Hehe. I imagine though that a Google employee makes for quite a high-value target, corporate espionage for example. You would think that a bad actor would put a bit more effort into them than your usual mass-emailed phish.
When will banks do this? (Score:2, Offtopic)
People are amazed I don't do on-line banking, given my high tech lifestyle and knowledge of computers. I don't do online banking precisely because of what I know of computer security.
I'll take on-line banking seriously when my bank takes it seriously. That means offering some kind of key for user verification. This might be in the form of one of those pseudo-random number generators I had from a previous employer, a USB key like mentioned in the fine article, or whatever else of similar function that mig
Re: (Score:2)
Re: (Score:2)
Your bank didn't give you an OTP generator? Dude, change bank, I got mine 9 years ago.
Re: When will banks do this? (Score:1)
That doesn't help. The hackers will do you're "banking" for you using your account
U2F for cheap (if you can come up with 4 friends) (Score:4, Informative)
This usb-connector sized ARM computer can run the U2F stack: http://tomu.im/ [tomu.im]
At $12/each (quantity 5) they aren't the cheapest out there (Amazon has 2 for $10), but they are fully open source.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Well, they recommend that when you build the software, you create and install the key into the software (presumably on a secure, non-networked machine, like you use to create your certs) and so even if the chip is fully secure (it's not) you could still have a backup of the key.
Re: (Score:2)
No, though you can set flags on the build to disable debug readout of the software/data.
It's no Yubikey, but it's $12 in quantity 5, and it's way safer than no U2F device at all...
What happens (Score:3)
Also, passwords are free. Those USB 2FA are $20.
Re: (Score:2)
You use more than one 2FA method, of course. I have a smartphone app as a backup, SMS as a backup, and a printed copy of backup keys.
There is NO reason not to implement 2FA. You don't even need the hardware key. Just stop relying on a password alone.
Re: (Score:2)
That and most of them require a device that I might not have or is not working.
Re: (Score:2)
Like a hotel key, IT can just associate a new key with your account.
Also, passwords are not free when they result in data breaches.
How many were scammed before 2FA? (Score:3)
Absolutely nothing to do with the security keys (Score:3)
"...unless they also hack or possess that second factor" . . or socially engineer a user in a dozen ways.
Google's success here has absolutely nothing to do with the security keys. This kind of success has everything to do with being different.
Around here, we call this "the club" scenario. For those not in the know, there is (was?) a car security device called "the club" that locked your car's steering wheel, making it physically impossible (inconvenient?) to drive. Was it difficult for a car-thief to disable the club? Not really. Was it easier for a thief to steal a different car in the parking lot? Absolutely.
To forego the another-car-analogy, we can also look at the reason that left-handed sports players are always statistically better -- it's simply because most players aren't left-handed, which means that most players encounter fewer lefties, and hence are less experienced against lefties.
In either case, it's called a dominant minority.
Google's not successful here because they have chosen to use security keys. Google is successful here because they spent a lot of time and money and training and effort and co-ordination to do something that most people aren't currently doing.
Security keys are the minority. Hence, they are more troublesome targets.
Wait a few years.
The win here is "something new". The moment it isn't new, it won't be any more secure than anything else.
Re: (Score:2)
Except that in this case, the hardware keys they are using generate one-time passwords. So yeah, their success IS a result of what they are doing, not just that they're doing "anything".
Re: (Score:2)
You misunderstood. They are doing something "different". As a direct result, they are harder targets than others. The moment everyone does the same thing, bad actors will happily target google the same as everyone else.
It's only difficult to break security keys because they aren't everywhere...yet.
Re: (Score:2)
You're partly right, in that hackers can potentially find a way to get around these security keys. But password-based security is SO easy to defeat that it's barely better than just SHUTTING your car doors, without locking them. If you have no password to type, you can't be tempted to type it into a fake Web site linked by a suspicious email. You won't have a password to supply to the fake Web site. That's the point. Using hardware keys eliminates the weakest link in security: the human.
Re: (Score:2)
I couldn't have said it better myself -- in support of the reverse point.
Locking your car door is barely better than just shutting it. Took me 4 minutes to break into a friends' sports car last week when she locked her keys in her trunk. You don't need to be a locksmith to use a wire hanger through the window seal.
Saying that keys remove the human element is like saying, oh wait, that keys remove the human element. You have keys to your office, so you don't need to say the magic word to the guard through
ancient (Score:1)
So - using the same tech as we did 15+ years ago. Google, always on the cutting edge.
But how many thousands of hours were lost? (Score:5, Interesting)
We started requiring a YubiKey USB key, and hours worked by people from home dropped over 20%! YubiKey claims to be FIPS compliant which is what our SSAE 16 requirements require. Security is important, but blocking people working extra hours is a huge cost.
Re: (Score:2)
Blocking people working extra hours? I'd call that a feature, not a bug.
Is this a physical physical 2fa or potential softt (Score:3)
I use authy (Google authenticator, improved edition) and just load all my soft tokens in there. Very good program.
I have even followed a very frustrating process to load in my PayPal authenticator in to it.
https://medium.com/@dubistkomi... [medium.com] (really recommend that for PayPal users)
Screw SMS authentication.
Is this an improvement? (Score:2)
The physical security system for security keys is definitely superior in terms of security from a technical standpoint compared against security codes, but how many successful phishing attacks did they witness before this rollout?
I do hope that security keys find wider adoption (they're genuinely convenient and offer strong security), but we would need more information to know if this is actually a significant improvement in real security over more basic forms of two-factor authentication.
Smart cards redux (Score:2)
Smart cards are 1/4 the cost of YubiKey, readily available from multiple vendors, standards based and have been in production use for well over a decade. Nice to see companies like Google rediscovering and adopting poor implementations of old existing technology.
Direct USB interface is far inferior from a security POV for smart card application because an unguarded USB dongle can exploit the attack surface of an elephant standing on a giant turtle standing on a 747.
Covert replacement of USB devices is a ma
Re: (Score:2)
Aren't most smart-card readers themselves USB devices?
Plugging a smart card you find on the floor into a USB smart card reader will not compromise your system.
Plugging a USB stick you find on the floor into a USB port can easily compromise your system.
Gotchas (Score:3)
* I bought one spare just in case I lose the main key. This is recommended by Yubi.
* I got another spare just in case either of the two primary keys blows it's cookies. This is recommended by me because I used to do firmware for rotating mass storage devices. Hardware goes bad.
* All three must be configured identically with the Yubi Personalization Tool. Relatively easy.
* Now I've got 3 keys, none of which can fall into enemy hands. This is more work, worry and responsibility than a single key, but I think the pluses outweigh the minuses.
Speaking of 2FA .... (Score:4, Interesting)
Maybe I'm being totally clueless here, but I'm sure some of you more well versed in system security than I am can provide insight.
What I don't get about 2 factor is, it seems like only the "second step" provides the true security? I mean, considering you already have the additional hassle of having to enter a randomly generated key code, produced on your piece of hardware you're carrying around, why even bother with the first part; the traditional password, anymore?
Passwords are regularly getting hacked or stolen from databases containing them, so they're failing at serving as good security. So why even bother with them anymore? Wouldn't it be just as secure, really, to log in as a user and immediately ask for that randomized, rotating code that the owner's device displays for them to enter?
Re: (Score:2)
That is the whole point. With a hardware key, you no longer type a password.
https://www.yubico.com/start/m... [yubico.com]