Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Plans Upgrade of Two-Factor Authentication For Politicians and CEOs (theverge.com)

Posted by EditorDavid on from the phishing-the-famous dept.

An anonymous reader quotes the Verge: Google plans on upgrading its two-factor authentication tool with an improved, physical security measure aimed at protecting high-profile users from politically motivated cyberattacks, according to a report from Bloomberg. The new service, to be called Advanced Protection Program and potentially slated to launch next month, will trade out the standard authentication process for services like Gmail and Google Drive with physical USB security keys. The service would also restrict the types of third-party apps and services that could connect to a user's Google account.

The changes are not likely to affect standard Google account owners, as Bloomberg reports that Google "plans to market the product to corporate executives, politicians and others with heightened security concerns."

14 of 92 comments (clear)

  1. We're not worthy by dcollins117 · · Score: 5, Insightful

    Ok Google, I get it. Us plebs don't deserve good security.

    1. Re:We're not worthy by geekmux · · Score: 2

      Ok Google, I get it. Us plebs don't deserve good security.

      Well, certainly no other account in a company would be worth securing, right? I mean what access would those piss-ant IT SysAdmins have? I mean, it's not like they control the entire server farm...

    2. Re:We're not worthy by SlaveToTheGrind · · Score: 4, Informative

      Well, the USB key has been available for well over two years now -- for less than $20.

      And what makes you think you wouldn't be able to buy the rest of the new security package if you wanted to (a) pay the going rate, just like above, and (b) live with the restrictions re third-party app access? TFA (which is basically somewhat educated rumor-mongering anyway) simply says it would be marketed to high-profile users, not that it would be restricted to them.

    3. Re:We're not worthy by Opportunist · · Score: 2

      Well, maybe that's the idea behind it: A two factor auth that even CEOs and politicians can't fuck up.

      Actually, I'm really curious now, so far my attempts have been thwarted. Every time I come up with a foolproof system, the board comes up with a more foolish CEO.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:We're not worthy by Anonymous Coward · · Score: 2, Informative

      do you think they'd be doing this if it was Trump's Campaign Manager that got hacked, and Clinton had won the election? Would that story even spend any time in the media if that was the case?

      Google is addressing problems with their service. I think they would have done so if it was Trump as well. I'm not convinced any of it is partisan on their part. The better authentication is probably something they will sell to others if there is enough demand. Personally if you want security I seriously suggest you use a separate program to encrypt your emails before handing them over to google. That way, even if they are vacuumed you have another layer of encryption such that only the sender and the recipient can get at them assuming you have preshared public keys securely, such that you at least know they are unchanged.

      Of course had Hillary done that it would be proof to the right wingers of pizzagate or some other bs.

  2. Re:As usual, leftist politicians protect themselve by youngone · · Score: 2

    Ha! Ha! Leftists. Good one.
    As if the US has any leftist politicians.

  3. Another brilliantly useless article by mhkohne · · Score: 2

    I'd love to know what Google is actually changing, but the article doesn't really say - I've been using a physical security key for my google account logins for a while now. Though the 'limiting apps that can connect' is certainly a good thing, I can't figure out what they are actually changing otherwise.

    Does this involve being able to force accounts to use a security key? What's really going on here?

    --
    A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
  4. I lost my...[hacked] by geekmux · · Score: 2

    Because they will spend the money on USB keys and then not bother with creating some form of identity validation policy, cue the "I lost my USB key, can you give me a temporary password?" phone hack in 3...2...

    Social Engineering. Because hacking ignorance, is timeless.

    1. Re:I lost my...[hacked] by Opportunist · · Score: 2

      And better nobody thinks that "company policy dictates that I must not" is an answer that CEO is going to accept. This is basically why the CEO fraud is so successful: CEOs with delusions of grandeur and a short temper, with underlings too scared to not jump when someone yells at them through the phone because they're used to it.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:I lost my...[hacked] by sl149q · · Score: 2

      For corporate gmail, the "can you give me a new password" request goes to the administrator of your corporate gmail. It does not go to Google.

      That raises the bar slightly. First the hackers have to know who that is. Second they have to determine what the practices and procedures for making the request are for your organization and third what a possible way to subvert them are. Should be different for all organizations.

  5. FIDO U2F keys? by Anonymous Coward · · Score: 3, Informative

    Google already supports FIDO U2F keys, such as yubikey, that you can use instead of their google 2FA app.

    How is this news?

  6. Re:Really? by sl149q · · Score: 2

    I suspect Gmail (corporate version) is more secure than what most organizations can implement and support.

    The only problem with hardware 2-factor is how to incorporate it into mobile. Is the phone itself a sufficient token (if coupled with something like TouchID to verify the user?)

    The Fido hardware keys are a simple way to secure desktop access.

  7. Least likely to use it by HermMunster · · Score: 2

    Those two groups are least likely to use it.

    It isn't a good testbed.

    It implies everyone else is less important.

    It won't change hacker's mentality toward hacking.

    CEOs shouldn't be using Gmail.

    --
    You can lead a man with reason but you can't make him think.
  8. Protect from whom? by markdavis · · Score: 2

    So with the increased security, that helps to protect from people trying to hack into Google. But who protects us from Google? They already have too much information and now they insist on having even more:

    Google just pushed out an update last week, so apparently unless I turn on tracking and logging of everything I do (location, web history, etc), I can't use my Wear watch to search for ANYTHING anymore. Really?

    The watch was great when I first bought it. Then they updated and ruined the search ability. Instead of being a nice, fast, Google web-like search engine, it became some stupid Google Now-like thing that doesn't ever give me what I want and no choices. Several months later it is "upgraded" to "Google Assistant" which REQUIRES I turn on all this tracking and storage. Almost nothing I want to search for requires a "history" of what I have done in the past.