Google will offer a physical security key to upgrade two-factor authentication for certain high-profile users:
The Alphabet Inc. company next month will begin offering a service called the Advanced Protection Program that places a collection of features onto accounts such as email, including a new block on third-party applications from accessing data. The program would effectively replace the need to use two-factor authentication to protect accounts with a pair of physical security keys. The company plans to market the product to corporate executives, politicians and others with heightened security concerns, these people said.
The Gmail messages of John Podesta, Hillary Clinton's 2016 campaign chairman, were famously hacked last year, along with the databases of the Democratic National Committee. Podesta met with the House Intelligence Committee in June to discuss the hack.
[...] The new service will block all third-party programs from accessing a user's emails or files stored on Google Drive, said the people, who asked not to be identified because the product isn't yet public. The program will be updated with new features to protect user data on an on-going basis.
(Score: 1, Informative) by Anonymous Coward on Monday October 02 2017, @07:38PM (5 children)
Why not just get a yubikey?
(Score: 2) by bob_super on Monday October 02 2017, @07:57PM (1 child)
Interesting.
The RSA token works on all machines and operating systems, and the only interference possible is the capture of the number being typed (which could be enough, granted). Plug a device in something (wait, this one is USB and that is USB-C, where's my dongle), and all sorts of shenanigans can get in the way.
On the practical side, my token used to be on my keychain, and reaching for a USB port on both of my primary machines would have been a pain.
(Score: 0) by Anonymous Coward on Monday October 02 2017, @08:23PM
The yubikey with nfc works on pretty much all devices except iOS (at present). But I understand the pain of reaching for a USB port each time you want to do something. For me I don't find it an issue due to my setup, however.
(Score: 2) by frojack on Monday October 02 2017, @08:15PM (2 children)
Any of several Yubikey versions do work, as long as you limit the account to ONLY accept those devices.
No text messages. No Phone calls.
The problem is that these physical keys are pretty expensive. (One key can work with many different services).
No Authenticator app would then be needed. (This hasn't been broken yet AFAIK).
The problem is the setup of authenticator can be a major pain in the neck when you want to use
it for multiple account and have it available on multiple devices [google.com] (in case you lose your phone).
Yubikey comes in several versions and some models can be used with you NFC equipped phone.
I suspect that Google's new service is simply some form of Yubikey-like service.
https://www.yubico.com/products/yubikey-hardware/compare-yubikeys/ [yubico.com]
I've used the el-cheapo Yubikey on several linux machines and windows machines with several different web services.
No, you are mistaken. I've always had this sig.
(Score: 2) by frojack on Monday October 02 2017, @08:16PM
Meant to say allowing text messages on accounts you set up to use yubikey-like devices is just stupid.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Monday October 02 2017, @08:26PM
I don't think price is a concern here, though. I have both the NFC yubikey and the little micro yubikey. Both serve me very well. The only thing that I use that frustrates me is AWS because they don't work with yubikeys yet. I think its a far more useful and user friendly device than RSA keys (once setup).