Google Boosts High-Risk Account Security with Phone-Only Setup 10
Google has streamlined its Advanced Protection Program, allowing users to enroll using a single passkey instead of two physical security keys. The program, designed for individuals at high risk of targeted online attacks, now uses built-in biometric authentication on Pixel phones and iPhones.
It works (Score:2, Informative)
It's well worth joining this programme if you are at all concerned about people trying to take over your Google account. I was getting harassed years ago and signed up, and as well as protecting my accounts it also gives you a lot of information about the attacks being made. Some of it is quite revealing, like the timezones involved.
Re: (Score:3, Insightful)
That with phone cloning, you have one single device that controls access to your life.... enjoy thieves!
Re: (Score:2)
Doesn't work on Pixel devices. I haven't tested iPhones but I hear they can't be fooled by a photo either.
iPhones are easy to hack so I wouldn't recommend using those, but there are no known bypasses for Pixels.
Pixel only? (Score:4, Interesting)
Is Google doing it's trick of adding things to Pixel phones only (and blocking Samsung/OnePlus/etc) again?
Dear Google: please stop. Make all Android phones equal. This makes me LESS likely to ever buy a Pixel.
Re: (Score:2)
I don't think so. The phone just needs to have FIDO support, which Pixel phones do. According to Samsung's website they do support it on their Galaxy phones.
So they trust their own chips (Score:3)
Essentially biometric "authentication" isn't particularly secure. There are 3 categories of problem:
1. It's hard to keep biometrics secure. Everybody can get to your fingerprints or iris images. All systems so far could be duped into accepting forged biometric measurements.
2. You cannot derive keys from biometrics, which means that you can only use it to unlock a key that was already stored in plaintext. Even with special hardware such keys can in principle be retrieved with a modest budget.
3. It's unclear how big the "key space" is. How many unique finger prints will a device recognize before confusing them. Early research suggests that there could be a low number of finger prints that would unlock a high percentage of biometric systems. Numbers obviously depend on how the systems are set up. More research is needed here.
Of course we are talking about Google here. That's not suitable for storing valuable secrets.
Re:So they trust their own chips (Score:5, Insightful)
Biometrics are not a secure means of authenticating anything. Or even identification, unless you can absolutely prove that the user's sample came from them directly. (I.e. Not lifted from a cup in a garbage can, doorknob, sewer, etc.) FYI: A chip cannot do that at all, because it cannot reason. All it can do is process the sample it's given. It cannot track down the source or question the male user why they are handing the system a sample from a woman.
Of course we are talking about Google here. That's not suitable for storing valuable secrets.
Granted, Google isn't a trustworthy keeper of secrets. However, given that TFS is about authenticating to Google directly, that really doesn't matter here. Google already knows what you're authenticating to access on their servers.
Once-a-day (Score:2)
So Google is back to "my phone is my password" thinking, now with a bio-metric unlock of unknown accuracy and reliability. Okay, leaving a security key (or two) plugged into a device all day, isn't an improvement: Why do people do that? But for once-a-day log-in, a separate piece of hardware means losing the phone is not the same as losing the password.
I pass. Once lost access to my Google Project Fi . (Score:3)