Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Adds USB Security Keys To 2-Factor Authentication Options

Posted by timothy on from the something-you-have dept.

An anonymous reader writes with this excerpt from VentureBeat: Google today announced it is beefing up its two-step verification feature with Security Key, a physical USB second factor that only works after verifying the login site is truly a Google website. The feature is available in Chrome: Instead of typing in a code, you can simply insert Security Key into your computer's USB port and tap it when prompted by Google's browser. "When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished," Google promises. While Security Key works with Google Accounts at no charge, you'll need to go out and buy a compatible USB device directly from a Universal 2nd Factor (U2F) participating vendor.

23 of 121 comments (clear)

  1. Dongle Bells! by CWCheese · · Score: 2

    I wonder if I can go dig out one of my old C=64 application dongles to use... of course it will be disconcerting if I heard the read/write heads slamming against the side of my disk drives

    --
    Have a Day!
    1. Re:Dongle Bells! by __aaclcg7560 · · Score: 3, Informative

      You mean a serial port? I bet yours does and you didn't even know it.

      The OP mentioned Commodore 64 dongles that typically plugged into the 9-pin joystick ports, which were compatible with the Atari 2600 joysticks. The 9-pin connector for the joystick ports were also used for serial ports on the PC, although I think that came later as 25-pin serial connectors were still common on modems in the early 1980's. Early PCs had a 15-pin game port on the old SoundBlaster cards. Don't recall if anyone made a 9-pin to 15-pin adapter to plug in the old Atari 2600 joysticks.

      And if it doesn't?

      None of my PCs have serial ports on them. I had to get a USB serial adapter to be able to console into my Cisco rack.

  2. Where is the NFC 2-factor? by DigitAl56K · · Score: 4, Interesting

    Let me know when they start selling cheap NFC dongles so we can just tap our phone on them to login. I'm sure our company would buy a bunch. 2-factor makes logging in to conference systems a pain in the ass - everyone is always looking to the guy who doesn't use 2-factor to login already. I don't see how fumbling around with USB sticks is much better.

    1. Re:Where is the NFC 2-factor? by swillden · · Score: 4, Interesting

      I don't see how fumbling around with USB sticks is much better.

      I use a YubKey NEO-n. It's a tiny device, only extends from the USB port by a millimeter or so... just enough that you can touch it to activate it. I just leave it plugged into my laptop all the time, so there's no "fumbling with USB sticks", I just run my finger along the side of the laptop until it hits the key. It's extremely convenient.

      There's an obvious downside of leaving the key plugged into your laptop, of course. If someone steals your laptop they have your key. However, in order to make use of it they have to have (or guess) your password as well, so it's really only a risk if someone is specifically targeting you, in which case they could also steal your phone. Well, it's also a problem if you use a particularly lousy password, and if you don't notice that the laptop/key are gone soon enough that you can disable the key before the attacker guesses your password.

      FWIW, Google switched to using security keys for corporate account authentication a while ago. Google's security operations team determined that the risk of theft of a security key is actually lower in practice than the risk that an employee's phone-based OTP might be phished. I would have thought that Google employees were too smart to be phished... but I suppose resistance to phishing attacks is as much about social intelligence as anything else, and Google hires a lot of socially inept people.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    2. Re:Where is the NFC 2-factor? by DigitAl56K · · Score: 2

      I don't see how fumbling around with USB sticks is much better.

      I use a YubKey NEO-n. It's a tiny device, only extends from the USB port by a millimeter or so... just enough that you can touch it to activate it. I just leave it plugged into my laptop all the time, so there's no "fumbling with USB sticks", I just run my finger along the side of the laptop until it hits the key. It's extremely convenient.

      That's okay for you on your laptop. When you go to a conference room with a e.g. a PC set up for conference calls, and someone needs to log in to pull up the hangout, it's a different story (don't even get me started on Chromebox for Meetings...).

      Here, having a little dongle sitting in the middle of the desk connected to the main system via USB would provide an easy option to provide at least the 2nd factor auth, without anyone typing in codes or plugging in additional devices. Lots of people walk into a conference room with their phone in hand as it is.

    3. Re:Where is the NFC 2-factor? by swillden · · Score: 3, Interesting

      That's okay for you on your laptop. When you go to a conference room with a e.g. a PC set up for conference calls, and someone needs to log in to pull up the hangout, it's a different story

      The proper solution for that problem is for the conference room PC to have its own account, which is invited to the hangout, rather than logging in with some individual's account. From a security perspective, having a device that lots of people log into is a bad idea; it's an ideal target for compromise, regardless of whether or not you use 2FA.

      FWIW (not much, I suppose, since it's not generally available), the way this works at Google is that conference rooms have their own accounts and calendars. Rooms are added to meetings in a manner very similar to adding guests. Each conference room PC has a small, connected tablet computer sitting on the table that shows the room's upcoming meetings. You tap the one you want and the room joins that hangout. If someone needs to present something from their computer they just join the meeting from their computer, generally with a different URL that only shares their screen and doesn't use their camera, microphone or speakers (or they can join the hangout normally, mute their speakers, disable their mic and then go into presentation mode). All of this also works for people without Google accounts; if they're invited to a meeting they get a URL that connects them to the hangout, and they can present if needed.

      It's very slick. IMO, Google should package the solution and sell it, because it's far and away the best VC system I've seen.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  3. How does it secure against spoofing? by Opportunist · · Score: 5, Insightful

    What keeps me (or my malware, respectively) from opening a google page in the background (i.e. not visible to the user by not rendering it but making Chrome consider it "open") and fool the dongle into recognizing it and the user into pressing the a-ok button?

    A machine that is compromised is no longer your machine. If you want two factor, use two channels. There is no way to secure a single channel with two factors sensibly.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:How does it secure against spoofing? by Gr8Apes · · Score: 2

      I was thinking this was more a leave it plugged in dongle, so Google has guaranteed tracking of all you do. After all, why would Google do anything if it doesn't add to the bottom line?

      --
      The cesspool just got a check and balance.
    2. Re:How does it secure against spoofing? by swillden · · Score: 2

      What keeps me (or my malware, respectively) from opening a google page in the background (i.e. not visible to the user by not rendering it but making Chrome consider it "open") and fool the dongle into recognizing it and the user into pressing the a-ok button?

      For one thing, if the tab with the malware-loaded page isn't on top, Chrome won't allow it to talk to the dongle. If there is some way to render a page that is not visible to the user but which Chrome considers sufficiently "open", that's a Chrome bug which should be fixed.

      A machine that is compromised is no longer your machine. If you want two factor, use two channels. There is no way to secure a single channel with two factors sensibly.

      You should have stopped after the first sentence, because two channels doesn't help. If the machine you're using is compromised, it's no longer your machine, period. This is true regardless of the authentication method being used. That said, some authentication methods are susceptible to replay attacks... if I can compromise your machine and grab your credentials then I can log in as you from my machine. Security keys make that sort of attack very difficult, much harder than, for example, an out-of-band one-time-password. In that case, I just have to make sure I use the one-time password before you do, grabbing and submitting it before you click "Go". With a cryptographic challenge response protocol performed by a security key that's more difficult, because a secure channel is established between the authentication server (at Google) and the security key. It's still not impossible, but it's much harder.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  4. Re:USB Device Recommendation by TWX · · Score: 4, Funny

    So, what is a good USB device for this?

    Probably one whose controller firmware hasn't been compromised...

    --
    Do not look into laser with remaining eye.
  5. Re:USB Device Recommendation by Midnight_Falcon · · Score: 2

    If you read TFA, you'll see YubiCo is offering a new device and their NEO devices are compatible with FIDO U2F. Unfortunately, the standard YubiKey and YubiKey nano does not support U2F.

  6. BadUSB exploit catalyst by ktilford · · Score: 2

    Good way to spread BadUSB exploits.

  7. FIDO 2 Factor by dac56 · · Score: 2

    Does anyone know if LastPass USB dongles qualify?

  8. Re:USB Device Recommendation by allquixotic · · Score: 3, Informative

    I have a Yubikey NEO. The U2F device they're selling now is the same form factor so I would assume it will work. It's a hardy little device -- it frequently clanks up against my other keys, but it still works in both USB and NFC modes. Not sure if the U2F model supports NFC, though. You'd have to check.

    Still, good build quality. And there's no battery; the unit has no moving parts (completely discrete); so they can be expected to last a very long time. Basically the limiting factor is how much damage you will accidentally do to the physical housing of the chip and/or the USB connector by dragging it with you everywhere. So far that amount is "0" for mine as far as I can detect.

  9. Re: USB Device Recommendation by Anonymous Coward · · Score: 3, Insightful

    Why would that be significant, two factor auth doesn't save you from an unstrusted terminal, and you'd sooner run into malware than compromised firmware.

    Christ on a cracker I hope nobody thinks you can plug this hardware into an untrusted software system and expect security.

  10. The way bank do it by DrYak · · Score: 3, Informative

    The way some bank do it, is that the authification asker (a 2F-protected service provider) sends a signed/encrypted message, that the security token decodes/verifies/displays. That message can't be tampered with (cryptography).

    So the token will display the message (something like "Authentication required to access GMail.com").
    so if an attacker tries to intercept your credential by opening an actual google page in the background, you'll notice that what the thing pretends to be on screen and what the dongle register as an asker aren't the same.

    The way to fool the user would be to try to look actually like the page you're trying to spoof. So an attacker needs to look like GMail, so the user thinks he's on Gmail, whereas actually it's a malware page maskarading as it and relying security tokens from the real Gmail.

    Now the way that banks counter-act that, is that any critical action (payment, etc.) needs to be confirmed again by the security token system. So the theoretic man-in-the-middle can't inject payment for 10'000$ for his Cayman Islands account. Because every payment needs to be confirmed again. And the bank will issue confirmation message regarding transaction.
    You'll notice if when paying a phone bill, the confirmation message instead is 10'000$ for Cayman Islands.

    Overall, it works as if the security token is its very own separate device, designed to work over non-reliable non-trusty channel.

    (The device doesn't implement a full TCP/IP stack. Most example device accepts only:
    - a string of caracters as an input (i.e.: you need to type the last five digit of the account you need to send funds too. The bank will notice when you type the digit of your utility company, but the man-in-the-middle has tried to inject a cayman island account from your browser).
    - a 2D flashing barcode to automate string input.
    - for the most crazy solution: writing a string to file on a flash-disk, this flashdisk is shared with the security token's microcontroller.
    Each time, the attack surface is very small. Only a short string of data is passed. You can't get much exploitable bugs.

    For the output, only a string again:
    - that you read and type from the token's screen.
    - that the token can type on your behalf, communicating with a HID chip on the same device.
    - the token can send it to a flash device that makes it visible inside a file.
    Again, the security token it self is limited to send just a string. Very small attack surface. All the funny "stuff" are implemented outside, and thus very low risk of remote exploitability)

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  11. Re:Too bad google's own search doesn't turn up any by jeffmflanagan · · Score: 2

    Inexpensive one: http://www.amazon.com/dp/B00NL...
    More expensive one with additional functionality http://www.amazon.com/dp/B00LX...

  12. Man In The Browser Attack by icknay · · Score: 3, Interesting
    It's great the Google is trying to advance this. The attack to worry about is "Man In the Browser" MITB http://en.wikipedia.org/wiki/M...

    MITB is the difficult case, and the way that bank accounts get emptied. The bad guy has malware on the victim computer, and the malware puts up web pages, and of course it can just lie about the url bar. So then the bad guy puts up the fake bank web site, and the victim type in the 2-factor code or whatever, and now the bad guy has it. Obviously Google knows about the MITB case. Does this thing have some sort of MITB mitigation? I'm guessing it does something. Hey Google, what do you say?

    The classical solution to MITB is that the little key has its own display, so it can show "Confirm transfer $4500 to account 3456" - showing the correct info to the "victim" even if their laptop is compromised. Basically, keeping the usb key itself from getting malware is feasible, while keeping the laptop or whatever clean is not.

  13. Re:Yet another Chrome-only technology by Minwee · · Score: 4, Funny

    It's really sad to see Google turning inwards like this. What happened to working towards open standards for such things?

    Too true. Couldn't they have used an open standard like FIDO's U2F instead of using proprietary technology like...

    Wait, what was your objection again?

  14. Re:Smart Cards? by polpot78 · · Score: 2
    I was just wondering about the same. The benefits for Smart Cards (preferably USB-dongles), is that it is actually a x509 or PKCS#12 certificate on them. This means that one can use encryption as security. Usecases for Smart Cards:
    1. SSH
    2. OpenVPN or StrongSwan
    3. Encryption of harddrive
    4. SSL client certificate for web-browsing

    The dongles also lock them selfes up if I type the wrong pin too many times.

  15. Re:USB Device Recommendation by Saithe · · Score: 2

    I just bought a NEO-N, that little tiny device will be nice to have and it also supports NFC. Both NEO support NFC.

  16. Re: USB Device Recommendation by ewibble · · Score: 2

    It actually could, well much more than the current system, given a couple things.

    1. The hardware does a challenge response, that way the private key is never given to untrusted hardware software system. Ok the untrusted system could log in once but only once.
    2. The USB key doesn't allow the firmware to be reprogramed (https://srlabs.de/badusb/).
    3. There is no other way than physically pressing the USB key to activate the challenge response each time.
    4. Do not allow a session to remain open indefinitely especially if the same dongle is used to log in form somewhere else.

    I have been saying for years that this mechanism would be great for credit cards, and a password replacement, of course you could still have passwords but with this mechanism would be fine for me without them.

    You could log in to any site with this, if the system used private/public key encryption simply give the site your public key, and use it to log by encrypting the challenge with your private key. Now if you ever use a password on a website you may as well consider it compromised.

    You could have multiple USB keys, if you wanted. You could even allow them to change the private key as long there was a physical block on writing the key, a switch or something.

  17. Re:Smart Cards? by toonces33 · · Score: 2

    That's true, but there is nothing stopping a USB dongle from using x509 or PKCS#12. Typically any card or token that is also capable of being used for Windows login has these capabilities.

    I haven't found enough about this new thing to say how they work yet. The *implication* from Yubikey is that you need a "NEO" version for U2F, and it *sounds* like at least some of these capabilities may be present on that token. I will probably end up ordering one just for grins and giggles, and from there I should be able to query the thing and see whether it really supports x509 and/or PKCS#12.