Stories
Slash Boxes
Comments

SoylentNews is people

No Key, No Login: G Suite Admins Can Now Make FIDO Security Keys Mandatory

posted by cmn32480 on Sunday February 26 2017, @10:17AM   Printer-friendly
from the the-key-that-bites-back dept.

Fnord666 writes:

Today, Google announced a new G Suite feature that allows admins to lock down accounts so they can only be accessed by users with a physical USB security key. The FIDO U2F Security Keys have been supported on G Suite and regular Google accounts since 2011, but now new security controls allow admins to make the keys mandatory for anyone who tries to log in.

Universal 2nd Factor (U2F)—initially developed by Google and Yubico—is a standard from the FIDO Alliance that allows a physical device to work as a second factor of authentication. After entering your username and password, you'll have to connect your device to your physical authentication key. The keys can support USB, NFC, and/or Bluetooth, allowing them to connect to desktops, laptops, and smartphones. Many services support U2F, like Dropbox, GitHub, Salesforce, Dashlane, and others. The Chrome and Opera browsers support U2F, along with Android and Windows smartphones. Modern iOS devices don't work with the standard, but Google appears to have some kind of workaround.

Are any Soylentils out there using U2F and if so, how's that working for you?

Source: ArsTechnica

Original Submission

 
This discussion has been archived. No new comments can be posted.
No Key, No Login: G Suite Admins Can Now Make FIDO Security Keys Mandatory | Log In/Create an Account | Top | 19 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1) by Scruffy Beard 2 on Sunday February 26 2017, @04:09PM (2 children)

    by Scruffy Beard 2 (6030) on Sunday February 26 2017, @04:09PM (#471892)

    Two factor authentication is supposed to be "something you have" + "something you know". The problem is to save costs, the second factor is often simply "something you know" as well.

    SMS authentication being a prime example. It proves you know a phone number and are able to direct text messages to it. It does not prove you are using a specific device.

    The problem with TFA hardware is that they are essentially black boxes. If you are using a hardware device anyway, why not just use key-based authentication instead?

    the "thing you know" would be the passphrase to decrypt the key.

  • (Score: 0) by Anonymous Coward on Sunday February 26 2017, @08:29PM (1 child)

    by Anonymous Coward on Sunday February 26 2017, @08:29PM (#471987)

    it is not like that?
    i mean you have the password .. liek before and the second factor is a physical hardware device.
    i always assumed before any OS can process the keys that are stored on a pluged-in security device it will prompt you for a "passphrase" (which ofc should be completely stealth and as a hardware device un-identifiable (no MAC address or serial number or such)) else alexa, google, cortana, etc. will report it and its plug-in location to TAH (sic) central YUGE database ... oops brackets [(])

    • (Score: 1) by Scruffy Beard 2 on Monday February 27 2017, @07:16AM

      by Scruffy Beard 2 (6030) on Monday February 27 2017, @07:16AM (#472138)

      I screwed up my explanation slightly. True TFA will do crypographic operations on hardware device the computer has no undue influence over.

      sometimes, it is simply a synchronized counter.