Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Google Security IT

Google Boosts High-Risk Account Security with Phone-Only Setup 10

Google has streamlined its Advanced Protection Program, allowing users to enroll using a single passkey instead of two physical security keys. The program, designed for individuals at high risk of targeted online attacks, now uses built-in biometric authentication on Pixel phones and iPhones.
This discussion has been archived. No new comments can be posted.

Google Boosts High-Risk Account Security with Phone-Only Setup

Comments Filter:
  • It works (Score:2, Informative)

    by AmiMoJo ( 196126 )

    It's well worth joining this programme if you are at all concerned about people trying to take over your Google account. I was getting harassed years ago and signed up, and as well as protecting my accounts it also gives you a lot of information about the attacks being made. Some of it is quite revealing, like the timezones involved.

    • Re: (Score:3, Insightful)

      by jhoegl ( 638955 )
      The best part about biometrics is placing an image of your face in front of the camera to unlock.

      That with phone cloning, you have one single device that controls access to your life.... enjoy thieves!
      • by AmiMoJo ( 196126 )

        Doesn't work on Pixel devices. I haven't tested iPhones but I hear they can't be fooled by a photo either.

        iPhones are easy to hack so I wouldn't recommend using those, but there are no known bypasses for Pixels.

  • Pixel only? (Score:4, Interesting)

    by sunderland56 ( 621843 ) on Wednesday July 10, 2024 @11:03AM (#64615875)

    Is Google doing it's trick of adding things to Pixel phones only (and blocking Samsung/OnePlus/etc) again?

    Dear Google: please stop. Make all Android phones equal. This makes me LESS likely to ever buy a Pixel.

    • by AmiMoJo ( 196126 )

      I don't think so. The phone just needs to have FIDO support, which Pixel phones do. According to Samsung's website they do support it on their Galaxy phones.

  • by Casandro ( 751346 ) on Wednesday July 10, 2024 @11:53AM (#64616021)

    Essentially biometric "authentication" isn't particularly secure. There are 3 categories of problem:

    1. It's hard to keep biometrics secure. Everybody can get to your fingerprints or iris images. All systems so far could be duped into accepting forged biometric measurements.
    2. You cannot derive keys from biometrics, which means that you can only use it to unlock a key that was already stored in plaintext. Even with special hardware such keys can in principle be retrieved with a modest budget.
    3. It's unclear how big the "key space" is. How many unique finger prints will a device recognize before confusing them. Early research suggests that there could be a low number of finger prints that would unlock a high percentage of biometric systems. Numbers obviously depend on how the systems are set up. More research is needed here.

    Of course we are talking about Google here. That's not suitable for storing valuable secrets.

    • by codebase7 ( 9682010 ) on Wednesday July 10, 2024 @12:34PM (#64616123)
      0. You cannot change biometrics when they are inevitably compromised.

      Biometrics are not a secure means of authenticating anything. Or even identification, unless you can absolutely prove that the user's sample came from them directly. (I.e. Not lifted from a cup in a garbage can, doorknob, sewer, etc.) FYI: A chip cannot do that at all, because it cannot reason. All it can do is process the sample it's given. It cannot track down the source or question the male user why they are handing the system a sample from a woman.

      Of course we are talking about Google here. That's not suitable for storing valuable secrets.

      Granted, Google isn't a trustworthy keeper of secrets. However, given that TFS is about authenticating to Google directly, that really doesn't matter here. Google already knows what you're authenticating to access on their servers.

  • ... using a single passkey ...

    So Google is back to "my phone is my password" thinking, now with a bio-metric unlock of unknown accuracy and reliability. Okay, leaving a security key (or two) plugged into a device all day, isn't an improvement: Why do people do that? But for once-a-day log-in, a separate piece of hardware means losing the phone is not the same as losing the password.

  • And then lost a very valuable phone number, access to my Gmail account. Yes, I know the password but thanks to two-factor authentication I lost access. In fact, I don't remember any instance where two-factor authentication made anything more secure. Most of the time it fucks things up. Mostly because things like SMS or Email are not very well suited. Nothing beats a hardware token generator. But back to google. Number gone, Gmail gone, most of paid Android Apps gone (Exception: pleco), some software companies that have a license bound to your gmail account (insync) issued my a new license after long negotiation. So thanks. Anything that relies on a Google account for any kind of security, I pass!

We all agree on the necessity of compromise. We just can't agree on when it's necessary to compromise. -- Larry Wall

Working...