from the upcoming-optimization:-put-the-physical-keys-in-the-cloud dept.
Google: Security Keys Neutralized Employee Phishing
Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity.
Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device).
A Google spokesperson said Security Keys now form the basis of all account access at Google.
"We have had no reported or confirmed account takeovers since implementing security keys at Google," the spokesperson said. "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time."
Related Stories
Computer security journalist Brian Krebs has posted in his blog that Reddit, a well-known social news aggravation site, has announced that an attacker compromised a several employee accounts at its cloud and source code hosting providers. The way in turned out to be Reddit's reliance on mobile text messages (SMS) in an imitation of two-factor authentication (2FA). Mobile application-based keys are an option. Hardware tokens would have also been reasonably secure instead but few sites do more than partially support them.
Reddit said the exposed data included internal source code as well as email addresses and obfuscated passwords for all Reddit users who registered accounts on the site prior to May 2007. The incident also exposed the email addresses of some users who had signed up to receive daily email digests of specific discussion threads.
Specific details of how the SMS messages were intercepted have not yet been made public.
Earlier on SN:
Google Defeats Employee Phishing With Physical Security Keys (2018)
SIM Hijacking as a Second Factor (2018)
Authentication Today: Moving Beyond Passwords (2018)
Google's in-house security key is now available to anyone who wants one
Google's Titan Security Key is finally available to anyone who wants one. The two-factor token went live today in the Google store, with a full kit available for $50, shipping immediately. The kits include a USB key, a Bluetooth key, and various connectors. The key has been available to Google Cloud customers since July, when the project was first publicly announced.
Built to the FIDO standard, the Titan keys work as a second factor for a number of services, including Facebook, Dropbox, and Github. But not surprisingly, they're built particularly for Google account logins, particularly the Advanced Protection Program announced in October. Because the keys verify themselves with a complex handshake rather than a static code, they're far more resistant to phishing attacks than a conventional confirmation code. The key was initially designed for internal Google use, and has been in active use within the company for more than eight months.
Also at TechCrunch, CNBC, and BGR.
Previously: Google Defeats Employee Phishing With Physical Security Keys
Related: No Key, No Login: G Suite Admins Can Now Make FIDO Security Keys Mandatory
(Score: 1, Insightful) by Anonymous Coward on Tuesday July 24 2018, @01:21PM (2 children)
You should see the security you can achieve when you don't put sensitive data on someone elses computer! Or, heaven forbid, even disconnect sesnsitive data from the Internet entirely !!
(Score: -1, Offtopic) by Anonymous Coward on Tuesday July 24 2018, @01:26PM (1 child)
(Score: 3, Informative) by Runaway1956 on Tuesday July 24 2018, @02:08PM
Uhhh, please no. The "agenda", as you call it, is just good, common sense. Depending on the cloud is somewhat like the old man who buried his money in mason jars. Except, with the cloud, the old man is burying his money all over the neighborhood. Some in the mayor's yard, some in a schoolteacher's yard, some in a yard with six kids plus all the local sports teams hanging out all day, some in the landfill - all around town he goes, burying his money. Surprise, surprise - anyone can dig it up, if they just watch where he buries stuff.
(Score: 4, Interesting) by bradley13 on Tuesday July 24 2018, @01:29PM (3 children)
I recently got a Yubikey (from Ars) to play around with. I've not looked into how the thing actually works, but purely from a user perspective, there seems to be a problem with browser dependencies, or perhaps browser version dependencies. I often have to switch browsers to get into a particular site. I've been too lazy to document exactly what works, and what doesn't, but there's really no reason for any vaguely recent, mainstream browser not to work.
This is something that seems to crop up more and more lately: websites that work differently, or not at all, with particular browsers. Reminds me of the bad-old-days with IE6...
Everyone is somebody else's weirdo.
(Score: 2) by opinionated_science on Tuesday July 24 2018, @02:02PM
In general, UN*X has had OTP for decades, so TFA is simply an extension.
"RSA Key" has been around a good while - they got hacked once, though I'm not sure how much that affected them.
Yubikey is probably as good as you can get on the domestic market.
I believe YK works via the keyboard input - well behaved on Linux, MacOsx.
I know nothing about Winsoze....
Anybody else?
(Score: 2, Interesting) by Anonymous Coward on Tuesday July 24 2018, @03:14PM (1 child)
I as going to point out the hypocrisy with Google here, they're using hardware keys, but they purposefully prevent Firefox from accessing Gmail via a yubikey even though they support it on Chrome and Firefox supports Yubikey out of the box.
(Score: 2) by darkfeline on Wednesday July 25 2018, @03:58AM
Firefox doesn't support Yubikey though, or more specifically, Firefox does not implement full support for U2F, the open protocol that Gmail requires.
See the four year old bug https://bugzilla.mozilla.org/show_bug.cgi?id=1065729 [mozilla.org]
Join the SDF Public Access UNIX System today!
(Score: 4, Interesting) by legont on Tuesday July 24 2018, @01:55PM
Interesting, interesting indeed. Reminds me of times when one could just distribute free music disks near the bull and the whole Wall Street would listen...
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 1) by Sulla on Tuesday July 24 2018, @03:55PM (5 children)
Not that I would ever do it as I am a upright and on-the-ball individual, asking for a friend, but what does an employee do if they leave their USB at home or it gets lost? How long will it take for IT to process the ticket before you are back up and running?
Ceterum censeo Sinae esse delendam
(Score: 2) by All Your Lawn Are Belong To Us on Tuesday July 24 2018, @04:44PM (3 children)
This is Google. They hire only the best. If you lose or displace your key then you're only human and not the best, and therefore not worthy of employ at Google, I'm sure.
I would be concerned, as you point out, with what happens when their USB key breaks away from the keychain or whatever is holding it. (The plastic used on USB dongles never equals the metal used on keys.) I've lost electronic keys that way. I'd also be worried about what happens when someone pushing the stick in-and-out all day breaks the tongue of the USB slot. (That's what she said and it's happened once here.)
This is hardly groundbreaking stuff - many hospitals use card-based lock/unlock on their PCs and I've never met a staff person who has liked it. Novel for use in email maybe... So much for convenience, though.
This sig for rent.
(Score: 3, Interesting) by JoeMerchant on Tuesday July 24 2018, @06:49PM (2 children)
IDK what they are using, but the USB key I selected to carry in my access badge has a full metal jacket with an integral metal hoop that I use to attach it the same string my access badge is on.
USB keys can be pretty solid, and if they go RFID that gets rid of the socket wearing out / water intrusion issues.
Any kind of security key needs a procedure in place to revoke and/or replace it - physical security keys are no exception. If their IT department is on the ball, you should be able to show up at a desk, sign something in blood, and get a fresh key issued and have your lost one invalidated right then, right there.
What would suck would be to lose your key in a public place far from the key replacement desk - maybe they have phone-in invalidation, like credit cards do.
🌻🌻 [google.com]
(Score: 2) by Freeman on Tuesday July 24 2018, @11:10PM (1 child)
'cause RFID screams secure.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 3, Interesting) by JoeMerchant on Wednesday July 25 2018, @11:33AM
There's all kinds of RFID - controlled distance NFC, cases that require metal to metal contact for the RF signal to be strong enough (but still not a plug and socket like USB to wear out), etc.
I suspect they went USB to take advantage of all the already built-in readers in consumer gear.
🌻🌻 [google.com]
(Score: 2) by darkfeline on Wednesday July 25 2018, @04:02AM
The physical token is necessary but not sufficient. Other measures in place prevent authentication long enough for the lost/stolen token to get revoked.
You don't have to outrun the bear, you just have to outrun your friend.
Join the SDF Public Access UNIX System today!
(Score: 1, Interesting) by Anonymous Coward on Tuesday July 24 2018, @07:40PM
So this reads like an ad for yubikey's new U2F (Universal 2 factor) protocol supporting yubikey - its only supported by the coolest and most awesome leading edge tech sites so far! but doesn't go into details on the protocol. The problem is, since it all happens over the internet, there's no proof that you have the device on you, just that the bytes you're sending match what the device would send. Its entirely possible for an attacker to replicate one of these, just, I assume, computationally unlikely.
(Score: 2) by riT-k0MA on Wednesday July 25 2018, @05:37PM
This is a duplicate. Original [soylentnews.org].