Google Adds USB Security Keys To 2-Factor Authentication Options

An anonymous reader writes with this excerpt from VentureBeat: Google today announced it is beefing up its two-step verification feature with Security Key, a physical USB second factor that only works after verifying the login site is truly a Google website. The feature is available in Chrome: Instead of typing in a code, you can simply insert Security Key into your computer's USB port and tap it when prompted by Google's browser. "When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished," Google promises. While Security Key works with Google Accounts at no charge, you'll need to go out and buy a compatible USB device directly from a Universal 2nd Factor (U2F) participating vendor.

Where is the NFC 2-factor?

[DigitAl56K]

Let me know when they start selling cheap NFC dongles so we can just tap our phone on them to login. I'm sure our company would buy a bunch. 2-factor makes logging in to conference systems a pain in the ass - everyone is always looking to the guy who doesn't use 2-factor to login already. I don't see how fumbling around with USB sticks is much better.

Re:Where is the NFC 2-factor?

[swillden]

I don't see how fumbling around with USB sticks is much better.

I use a YubKey NEO-n. It's a tiny device, only extends from the USB port by a millimeter or so... just enough that you can touch it to activate it. I just leave it plugged into my laptop all the time, so there's no "fumbling with USB sticks", I just run my finger along the side of the laptop until it hits the key. It's extremely convenient.

There's an obvious downside of leaving the key plugged into your laptop, of course. If someone steals your laptop they have your key. However, in order to make use of it they have to have (or guess) your password as well, so it's really only a risk if someone is specifically targeting you, in which case they could also steal your phone. Well, it's also a problem if you use a particularly lousy password, and if you don't notice that the laptop/key are gone soon enough that you can disable the key before the attacker guesses your password.

FWIW, Google switched to using security keys for corporate account authentication a while ago. Google's security operations team determined that the risk of theft of a security key is actually lower in practice than the risk that an employee's phone-based OTP might be phished. I would have thought that Google employees were too smart to be phished... but I suppose resistance to phishing attacks is as much about social intelligence as anything else, and Google hires a lot of socially inept people.

Re:Where is the NFC 2-factor?

[swillden]

That's okay for you on your laptop. When you go to a conference room with a e.g. a PC set up for conference calls, and someone needs to log in to pull up the hangout, it's a different story

The proper solution for that problem is for the conference room PC to have its own account, which is invited to the hangout, rather than logging in with some individual's account. From a security perspective, having a device that lots of people log into is a bad idea; it's an ideal target for compromise, regardless of whether or not you use 2FA.

FWIW (not much, I suppose, since it's not generally available), the way this works at Google is that conference rooms have their own accounts and calendars. Rooms are added to meetings in a manner very similar to adding guests. Each conference room PC has a small, connected tablet computer sitting on the table that shows the room's upcoming meetings. You tap the one you want and the room joins that hangout. If someone needs to present something from their computer they just join the meeting from their computer, generally with a different URL that only shares their screen and doesn't use their camera, microphone or speakers (or they can join the hangout normally, mute their speakers, disable their mic and then go into presentation mode). All of this also works for people without Google accounts; if they're invited to a meeting they get a URL that connects them to the hangout, and they can present if needed.

It's very slick. IMO, Google should package the solution and sell it, because it's far and away the best VC system I've seen.

Man In The Browser Attack

[icknay]

It's great the Google is trying to advance this. The attack to worry about is "Man In the Browser" MITB http://en.wikipedia.org/wiki/M...

MITB is the difficult case, and the way that bank accounts get emptied. The bad guy has malware on the victim computer, and the malware puts up web pages, and of course it can just lie about the url bar. So then the bad guy puts up the fake bank web site, and the victim type in the 2-factor code or whatever, and now the bad guy has it. Obviously Google knows about the MITB case. Does this thing have some sort of MITB mitigation? I'm guessing it does something. Hey Google, what do you say?

The classical solution to MITB is that the little key has its own display, so it can show "Confirm transfer $4500 to account 3456" - showing the correct info to the "victim" even if their laptop is compromised. Basically, keeping the usb key itself from getting malware is feasible, while keeping the laptop or whatever clean is not.