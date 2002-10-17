Stories
Google Services to Offer Physical Two-Factor Authentication for Politicians and Executives

posted by martyb on Monday October 02, @07:14PM
from the garden-walls-are-growing dept.
Security

takyon writes:

Google will offer a physical security key to upgrade two-factor authentication for certain high-profile users:

The Alphabet Inc. company next month will begin offering a service called the Advanced Protection Program that places a collection of features onto accounts such as email, including a new block on third-party applications from accessing data. The program would effectively replace the need to use two-factor authentication to protect accounts with a pair of physical security keys. The company plans to market the product to corporate executives, politicians and others with heightened security concerns, these people said.

The Gmail messages of John Podesta, Hillary Clinton's 2016 campaign chairman, were famously hacked last year, along with the databases of the Democratic National Committee. Podesta met with the House Intelligence Committee in June to discuss the hack.

[...] The new service will block all third-party programs from accessing a user's emails or files stored on Google Drive, said the people, who asked not to be identified because the product isn't yet public. The program will be updated with new features to protect user data on an on-going basis.

  by bob_super on Monday October 02, @07:25PM

    I don't want no stinking apps or keys, I just want my good old RSA token, even if it needs more digits.
    Is it 100% foolproof? Nope, but it's really hard to hijack if implemented properly.

    Gimme two, in case I lose one or the battery dies. I'll bury the spare under the Bougainvillea.

    by Anonymous Coward on Monday October 02, @07:38PM

      Why not just get a yubikey?

      by bob_super on Monday October 02, @07:57PM

        Interesting.
        The RSA token works on all machines and operating systems, and the only interference possible is the capture of the number being typed (which could be enough, granted). Plug a device in something (wait, this one is USB and that is USB-C, where's my dongle), and all sorts of shenanigans can get in the way.
        On the practical side, my token used to be on my keychain, and reaching for a USB port on both of my primary machines would have been a pain.

        by Anonymous Coward on Monday October 02, @08:23PM

          The yubikey with nfc works on pretty much all devices except iOS (at present). But I understand the pain of reaching for a USB port each time you want to do something. For me I don't find it an issue due to my setup, however.

      by frojack on Monday October 02, @08:15PM

        Why not just get a yubikey?

        Any of several Yubikey versions do work, as long as you limit the account to ONLY accept those devices.
        No text messages. No Phone calls.
        The problem is that these physical keys are pretty expensive. (One key can work with many different services).

        No Authenticator app would then be needed. (This hasn't been broken yet AFAIK).
        The problem is the setup of authenticator can be a major pain in the neck when you want to use
        it for multiple account and have it available on multiple devices [google.com] (in case you lose your phone).

        Yubikey comes in several versions and some models can be used with you NFC equipped phone.

        I suspect that Google's new service is simply some form of Yubikey-like service.
        https://www.yubico.com/products/yubikey-hardware/compare-yubikeys/ [yubico.com]

        I've used the el-cheapo Yubikey on several linux machines and windows machines with several different web services.

        by frojack on Monday October 02, @08:16PM

          Meant to say allowing text messages on accounts you set up to use yubikey-like devices is just stupid.

        by Anonymous Coward on Monday October 02, @08:26PM

          I don't think price is a concern here, though. I have both the NFC yubikey and the little micro yubikey. Both serve me very well. The only thing that I use that frustrates me is AWS because they don't work with yubikeys yet. I think its a far more useful and user friendly device than RSA keys (once setup).

  by Anonymous Coward on Monday October 02, @07:26PM

    "The new service will block all third-party programs from accessing a user's emails or files stored on Google Drive"

    fools.

    by nobu_the_bard on Monday October 02, @07:38PM

      So it'll return a blank page in case there's a third party looking at the screen, right?

    by frojack on Monday October 02, @08:19PM

      block all third-party programs

      When google itself is largely rolling over for every tin-horn-sheriff these days, there's small comfort in this promised blockage.

  by looorg on Monday October 02, @07:56PM

    So normal people does not need or deserve security? Thanks Google ...

    by bob_super on Monday October 02, @08:00PM

      Nope, glad you finally noticed.
      You should start posting bank account numbers and naked pics, now. (I'd say not necessarily your naked pics, to save our retinas, but I can't judge the tastes of fellow Soylentils).

    by Unixnut on Monday October 02, @08:23PM

      > So normal people does not need or deserve security? Thanks Google ...

      "Normal people" == the product

      when you think of it that way, you recognise that asking Google to do something to benefit you would be like cattle asking the same of the farmer. Nothing will be done to you unless it benefits them. The sooner people realise this, the better it will be for them.

      Heads of state, executives, etc... have power and influence against Google, so they are on a more equal footing. Plus it helps if you (or your company) pay for the product of course.

      As the saying goes, "Beggars can't be choosers" , if you want a free service, accept that you are not a customer. They are not providing the service out of charity, but intend to make money from you.

    by Anonymous Coward on Monday October 02, @08:29PM

      You can use yubikeys with google. I use two authenticators for both my personal and work accounts. Much easier to use than RSA type tokens and authenticator apps.

    by takyon on Monday October 02, @08:33PM

      It's unclear to me that normal folks will be prevented from adopting this security measure. I wrestled with that question for a hot minute while submitting this. However:

      The company plans to market the product to corporate executives, politicians and others with heightened security concerns, these people said.

      That suggests to me that this is not for normal folks and that it will be priced accordingly. That's not unheard of for Google. They used to have a $399/year version of Google Earth aimed towards media outlets and others. G Suite [wikipedia.org] costs $60-120/year per user. Maybe Google will make this feature an add-on to G Suite.

      by Anonymous Coward on Monday October 02, @08:46PM

        It'll almost assuredly be a G Suite feature for nothing less than G Suite Business.

