SoylentNews is people
SoylentNews
from the upcoming-optimization:-put-the-physical-keys-in-the-cloud dept.
Google: Security Keys Neutralized Employee Phishing
Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity.
Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device).
A Google spokesperson said Security Keys now form the basis of all account access at Google.
"We have had no reported or confirmed account takeovers since implementing security keys at Google," the spokesperson said. "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time."
(Score: 1) by Sulla on Tuesday July 24 2018, @03:55PM (5 children)
Not that I would ever do it as I am a upright and on-the-ball individual, asking for a friend, but what does an employee do if they leave their USB at home or it gets lost? How long will it take for IT to process the ticket before you are back up and running?
Ceterum censeo Sinae esse delendam
(Score: 2) by All Your Lawn Are Belong To Us on Tuesday July 24 2018, @04:44PM (3 children)
This is Google. They hire only the best. If you lose or displace your key then you're only human and not the best, and therefore not worthy of employ at Google, I'm sure.
I would be concerned, as you point out, with what happens when their USB key breaks away from the keychain or whatever is holding it. (The plastic used on USB dongles never equals the metal used on keys.) I've lost electronic keys that way. I'd also be worried about what happens when someone pushing the stick in-and-out all day breaks the tongue of the USB slot. (That's what she said and it's happened once here.)
This is hardly groundbreaking stuff - many hospitals use card-based lock/unlock on their PCs and I've never met a staff person who has liked it. Novel for use in email maybe... So much for convenience, though.
This sig for rent.
(Score: 3, Interesting) by JoeMerchant on Tuesday July 24 2018, @06:49PM (2 children)
IDK what they are using, but the USB key I selected to carry in my access badge has a full metal jacket with an integral metal hoop that I use to attach it the same string my access badge is on.
USB keys can be pretty solid, and if they go RFID that gets rid of the socket wearing out / water intrusion issues.
Any kind of security key needs a procedure in place to revoke and/or replace it - physical security keys are no exception. If their IT department is on the ball, you should be able to show up at a desk, sign something in blood, and get a fresh key issued and have your lost one invalidated right then, right there.
What would suck would be to lose your key in a public place far from the key replacement desk - maybe they have phone-in invalidation, like credit cards do.
🌻🌻 [google.com]
(Score: 2) by Freeman on Tuesday July 24 2018, @11:10PM (1 child)
'cause RFID screams secure.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 3, Interesting) by JoeMerchant on Wednesday July 25 2018, @11:33AM
There's all kinds of RFID - controlled distance NFC, cases that require metal to metal contact for the RF signal to be strong enough (but still not a plug and socket like USB to wear out), etc.
I suspect they went USB to take advantage of all the already built-in readers in consumer gear.
🌻🌻 [google.com]
(Score: 2) by darkfeline on Wednesday July 25 2018, @04:02AM
The physical token is necessary but not sufficient. Other measures in place prevent authentication long enough for the lost/stolen token to get revoked.
You don't have to outrun the bear, you just have to outrun your friend.
Join the SDF Public Access UNIX System today!