SoylentNews is people
SoylentNews
Today, Google announced a new G Suite feature that allows admins to lock down accounts so they can only be accessed by users with a physical USB security key. The FIDO U2F Security Keys have been supported on G Suite and regular Google accounts since 2011, but now new security controls allow admins to make the keys mandatory for anyone who tries to log in.
Universal 2nd Factor (U2F)—initially developed by Google and Yubico—is a standard from the FIDO Alliance that allows a physical device to work as a second factor of authentication. After entering your username and password, you'll have to connect your device to your physical authentication key. The keys can support USB, NFC, and/or Bluetooth, allowing them to connect to desktops, laptops, and smartphones. Many services support U2F, like Dropbox, GitHub, Salesforce, Dashlane, and others. The Chrome and Opera browsers support U2F, along with Android and Windows smartphones. Modern iOS devices don't work with the standard, but Google appears to have some kind of workaround.
Are any Soylentils out there using U2F and if so, how's that working for you?
Source: ArsTechnica
(Score: 3, Insightful) by mmh on Sunday February 26 2017, @05:02PM
Personally, I hate 2FA, and actively avoid it wherever I can. The primary reason I avoid it is, I have never, not once, had an account "hacked" or a password guessed. While all it does is add more hoops to jump through.
I use the password manager PWSafe (https://pwsafe.org/ [pwsafe.org]) which has support for Linux, Windows, Android, iOS (Free app called StrongBox), and OSX. The password manager automatically generates passwords for each user account, every account gets a unique password. An example of the type of password I use for each account: "17R@nFjnI(+6d%mSHCW$e?y5hh%TJwkk".
Now introduce 2FA into the mix, and the steps to login to an account become: Type username, open password manager, copy paste password, find 2FA device, insert 2FA device or enter 2FA code. Or... Just dont bother logging in anymore.
At my work, where I am forced to use 2FA. 2FA has instead crippled my password strength. My work password is now the equivalent of "xsw@1qaz" just a simple pattern but gets by most "password complexity" requirements. On top of that, the stupid RSA key they require me use gets left on my desk, since forgetting or losing the silly device means I can't login.
The goal of security should be both to increase security, and to increase convenience. Adding more hoops to jump through is going to make me either not bother setting up an account, or dumb down the process.
I think the iPhone has a good balance through the fingerprint reader. Most of the time, a fingerprint is enough to unlock the phone. But every now-and-then it makes you type in a password. I can live with that.
That's how these 2FA devices should work, first, no username required. The 2FA device should serve as the username and token, and should be enough to log in MOST of the time. Then every once in a awhile, a password too.