A YubiKey Security Key made by Yubico.
The basic model featured here retails for $20
The basic idea behind two-factor authentication (2FA/U2F) is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor.
by Brian Krebs – Krebs on Security
Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity.
Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device).
A Google spokesperson said Security Keys now form the basis of all account access at Google.
“We have had no reported or confirmed account takeovers since implementing security keys at Google,” the spokesperson said. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”
The basic idea behind two-factor authentication is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor.
The most common forms of 2FA require the user to supplement a password with a one-time code sent to their mobile device via text message or an app. Indeed, prior to 2017 Google employees also relied on one-time codes generated by a mobile app — Google Authenticator.
In contrast, a Security Key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers.
Once a device is enrolled for a specific Web site that supports Security Keys, the user no longer needs to enter their password at that site (unless they try to access the same account from a different device, in which case it will ask the user to insert their key).
U2F is an emerging open source authentication standard, and as such only a handful of high-profile sites currently support it, including Dropbox, Facebook, Github (and of course Google’s various services). Most major password managers also now support U2F, including Dashlane, Keepass and LastPass. Duo Security [full disclosure: an advertiser on this site] also can be set up to work with U2F.
With any luck, more sites soon will begin incorporating the Web Authentication API — also known as “WebAuthn” — a standard put forth by the World Wide Web Consortium in collaboration with the FIDO Alliance. The beauty of WebAuthn is that it eliminates the need for users to constantly type in their passwords, which negates the threat from common password-stealing methods like phishing and man-in-the-middle attacks.
Currently, U2F is supported by Chrome, Mozilla Firefox, and Opera. In both Firefox and Quantum (the newer, faster version of Firefox), U2F is not enabled by default. To turn it on, type “about:config” in the browser bar, type or paste “security.webauth.u2f” and double-click the resulting entry to change the preference’s value from “false” to “true.”
Microsoft says it expects to roll out updates to its flagship Edge browser to support U2F later this year. According to a recent article at 9to5Mac.com, Apple has not yet said when or if it will support the standard in its Safari browser.
Probably the most popular maker of Security Keys is Yubico, which sells a basic U2F key for $20 (it offers regular USB versions as well as those made for devices that require USB-C connections, such as Apple’s newer Mac OS systems). Yubikey also sells more expensive U2F keys designed to work with mobile devices.
If a site you frequent does not yet support WebAuthn, please consider hardening your login with another form of 2FA. Hundreds of sites now support multi-factor authentication. Twofactorauth.org maintains probably the most comprehensive list of which sites support 2FA, indexing each by type of site (email, gaming, finance, etc) and the type of 2FA offered (SMS, phone call, software token, etc.).
In general, using SMS and automated phone calls to receive a one-time token is less secure than relying on a software token app like Google Authenticator or Authy. That’s because thieves can intercept that one-time code by tricking your mobile provider into either swapping your mobile device’s SIM card or “porting” your mobile number to a different device. However, if the only 2FA options offered by a site you frequent are SMS and/or phone calls, it is still better than simply relying on a password.
While we’re on the subject of multi-factor authentication, I should note that Google now offers an extra set of security measures for all of its properties called Advanced Protection. Exactly how Google’s Advanced Protection works (and the trade-offs involved in turning it on) will likely be the subject of another story here, but Wired.com recently published a decent rundown about it. Incidentally, this article includes a step-by-step guide on how to incorporate Security Keys into Advanced Protection.
I have been using Advanced Protection for several months now without any major issues, although it did take me a few tries to get it set up correctly. One frustrating aspect of having it turned on is that it does not allow one to use third-party email applications like Mozilla’s Thunderbird or Outlook. I found this frustrating because as far as I can tell there is no integrated solution in Gmail for PGP/OpenGPG email message encryption, and some readers prefer to share news tips this way. Previously, I had used Thunderbird along with a plugin called Enigmail to do that.
25 JUL 2018
Google really, really wants you to use physical security keys to protect yourself from hackers. After announcing that its 85,000 employees have managed to go more than a year without getting phished because of mandated security devices, Google now has its own physical security key to sell you.
On Wednesday, the company announced its new Titan security key, a device that protects your accounts by restricting two-factor authentication to the physical world. It’s available as a USB stick and in a Bluetooth variation, and like similar products by Yubico and Feitian, it utilizes the protocol approved by the FIDO alliance. That means it’ll be compatible with pretty much any service that enables users to turn on Universal 2nd Factor Authentication (U2F).
At this point, everyone should be familiar with the basic two-factor authentication that adds an extra layer of security on top of the standard password. You can request a text message or use an authenticator app to generate a code that also has to be entered to access your account. This helps mitigate the risk involved with being tricked into handing over your password. But the technique can still be circumvented by a hacker.
U2F goes further by requiring a USB device that’s inserted into your computer or an NFC device to be in close proximity to your device. Google is also spearheading the move to using Bluetooth (BLE) for its U2F. Bluetooth aside, however, it’s unclear what exactly sets Google’s product apart from its competitors.
In an email to Gizmodo, the company said, “Titan Security Key gives you even more peace of mind that your accounts are protected, with assurance from Google of the integrity of the physical key.” So it appears that above all, Google is simply betting on brand recognition—and it’s true that you don’t want to buy this kind of gear from an unknown source.
Yubico pioneered this technology and is the dominant force in manufacturing U2F devices as well as further refining its protocols. It counts major companies like Facebook among its business clients. Google has also been a Yubico client and the two companies have worked together on the development of the FIDO standards over the years.
Following today’s announcement of the Titan key, Yubico CEO Stina Ehrensvard wrote a blog post that was slightly critical of Google’s new product. Ehrensvard insisted that everyone at Yubico “are true supporters of open standards” and all new competitors in the field are welcome. But she singled out a couple of points for users to keep in mind if they’re trying to decide if they want to go with Titan. From her post:
Yubico strongly believes there are security and privacy benefits for our customers by manufacturing and programming our products in the USA and Sweden.
Google’s offering includes a Bluetooth (BLE) capable key. While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability. BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience.
When we asked Google if it would like to respond to the concerns Ehrensvard raised, a spokesperson declined. Her point about the country in which Titan is being manufactured is a bit confusing. It appears she’s trying to say that Google’s device is being manufactured in a country that could leave it open to being compromised. When we asked Yubico what this meant and where Titan is being produced, a spokesperson referred us back to Google.
Yubico’s spokesperson did point us to a recent warning from the U.S. Computer Emergency Response Team that Bluetooth devices potentially contain a vulnerability that would allow an attacker to access your data. Yubico says it’s focused on near-field communication (NFC) instead of Bluetooth and it plans to “announce another secure and user-friendly solution for iOS” soon.
Speaking of user-friendly solutions, U2F, in general, is a bit of a pain in the ass. CNET got a hands-on preview of the Titan key and found themselves locked out of their accounts when they forgot the device at the office. They recommend setting up a backup verification with Google that sends a notification to get you back into your accounts to a trusted device. But I’m sure most people are pretty good about remembering the keys to their house or car, and carrying this could become second-nature after a while.
As far as why Google is doing this at the moment, it seems reasonable that it’s genuinely trying to ingrain that kind of second-nature into the public. Yubico makes plenty of money, but not the kind of fuck-you money that fuels Google. Titan appears to be mostly about spreading public awareness and doing some brand building around security. Earlier this year, Google lamented that only 10 percent of Gmail users have enabled two-factor authentication. Encouraging users to get into security keys widens the Overton window on what people are willing to tolerate as a necessary annoyance.
Google Cloud customers can already order Titan keys through their Google rep and the company says they’ll be available to everyone soon for $20 to $25, which is a fairly standard price. If you don’t want to wait, Yubico and Feitian have respected keys that are ready to ship out now.