Slashdot Mirror
None of Google's 85,000 Employees Have Been Phished in More Than a Year After Company Required Them to Use Physical Security Keys For 2FA (krebsonsecurity.com)
Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity. From the report: Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device). A Google spokesperson said Security Keys now form the basis of all account access at Google. "We have had no reported or confirmed account takeovers since implementing security keys at Google," the spokesperson said. "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time." The basic idea behind two-factor authentication is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor.
I've never fallen for a phishing email with or without 2fa.
If Google's getting kudos after a year, I want a goddamned payout.
Comment removed based on user account deletion
It was this article that finally made me switch from SMS verification codes for my personal email (gmail): Wired article
And I went to Google Authenticator only after I figured out how to put the same code on multiple devices and assure myself that I had enough backup hard copies of keys that I would not likely get locked out permanently should I ever lose my phone, etc.
The U2F works great for corporate, etc. where you have a support team who can help you in case you lose it or forget anything. They can make you come in person and prove that you are you.
The problem with implementing this (without enough backups) for personal is that if you ever lose all of your key info or code generator, you are absolutely fucked because there is no way to prove who you are to Google and have them reset your password / security. So you've got to have multiple backups in different places should your house ever burn down, etc.
Every time I log into a new box, the checkbox to remember this computer (and thus bypass 2FA in future) is pre-checked when inserting my hardware token.
Yes, signing into a machine means that to a certain degree I believe it's not already compromised. However, if I was wrong, and it was compromised, at least the hardware token should prevent password replays after 20 seconds had elapsed. Not with Google's defaults though! AFAIK there isn't even an option to change the default to unchecked if I wanted to.
Earlier this summer, Yubico mentioned this as part of a conference. For something as large as Google, this is pretty notable.
The biggest advantage the Yubikeys give is the proof there is some type of living being at the machine, via the button press. Of course, this doesn't mean 100% security in the future, but it means that an attack has to be done and queued up when someone is using the machine.
So...
https://en.wikipedia.org/wiki/RSA_SecurID March 2011 system compromise
YMMV
a freind.
I don't have mod points but I sure as hell got a fucking sense of humour and this in funny.
It little behooves the best of us to comment on the rest of us.
... Manning walks past security with a Lady Gaga CD and inserts that into a computer and walks out with the good stuff.
Now we have a shit load of people pulling out USB sticks ...
It little behooves the best of us to comment on the rest of us.
that a company so legendary for its recruitment practices, would let people who would fall for phishing scams join in the first place. Time to reapply!
People are amazed I don't do on-line banking, given my high tech lifestyle and knowledge of computers. I don't do online banking precisely because of what I know of computer security.
I'll take on-line banking seriously when my bank takes it seriously. That means offering some kind of key for user verification. This might be in the form of one of those pseudo-random number generators I had from a previous employer, a USB key like mentioned in the fine article, or whatever else of similar function that might be out there. I'd like something that I can use from any computer but even if it's limited to my home computer or smart phone then I'd be very pleased. Until then I'm fine with going to the conveniently located brick and mortar bank location and take advantage of the BTMs (bio-teller machines) inside.
I am armed because I am free. I am free because I am armed.
This usb-connector sized ARM computer can run the U2F stack: http://tomu.im/
At $12/each (quantity 5) they aren't the cheapest out there (Amazon has 2 for $10), but they are fully open source.
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
What happens when you lose the thing?
Also, passwords are free. Those USB 2FA are $20.
The millennial that doesn't like most of the stuff designed for millennials.
The problem with implementing this (without enough backups) for personal is that if you ever lose all of your key info or code generator, you are absolutely fucked because there is no way to prove who you are to Google and have them reset your password / security. So you've got to have multiple backups in different places should your house ever burn down, etc.
QC tattoos make a great long-term backup solution. Preferably under hair -- on a pet.
In other news, my car doors have not opened since I welded them shut.
Ya mamma so stoopid, someone said "It's chilly outside," and bitch ran and grabbed a spoon!
"...unless they also hack or possess that second factor" . . or socially engineer a user in a dozen ways.
Google's success here has absolutely nothing to do with the security keys. This kind of success has everything to do with being different.
Around here, we call this "the club" scenario. For those not in the know, there is (was?) a car security device called "the club" that locked your car's steering wheel, making it physically impossible (inconvenient?) to drive. Was it difficult for a car-thief to disable the club? Not really. Was it easier for a thief to steal a different car in the parking lot? Absolutely.
To forego the another-car-analogy, we can also look at the reason that left-handed sports players are always statistically better -- it's simply because most players aren't left-handed, which means that most players encounter fewer lefties, and hence are less experienced against lefties.
In either case, it's called a dominant minority.
Google's not successful here because they have chosen to use security keys. Google is successful here because they spent a lot of time and money and training and effort and co-ordination to do something that most people aren't currently doing.
Security keys are the minority. Hence, they are more troublesome targets.
Wait a few years.
The win here is "something new". The moment it isn't new, it won't be any more secure than anything else.
Sad.
So - using the same tech as we did 15+ years ago. Google, always on the cutting edge.
We started requiring a YubiKey USB key, and hours worked by people from home dropped over 20%! YubiKey claims to be FIPS compliant which is what our SSAE 16 requirements require. Security is important, but blocking people working extra hours is a huge cost.
I use authy (Google authenticator, improved edition) and just load all my soft tokens in there. Very good program.
I have even followed a very frustrating process to load in my PayPal authenticator in to it.
https://medium.com/@dubistkomi... (really recommend that for PayPal users)
Screw SMS authentication.
Hey that's great! Here, take one of mine. It has my personal open source on it.
Unfortunately their mobile version only works on NFC phones. No Bluetooth version for cheaper phones.
Doesn't sound much different that what people use to do with Sun-rays and the smart-card one used with them. Heck mine doubled as key-card for getting into certain sections of the building.
The physical security system for security keys is definitely superior in terms of security from a technical standpoint compared against security codes, but how many successful phishing attacks did they witness before this rollout?
I do hope that security keys find wider adoption (they're genuinely convenient and offer strong security), but we would need more information to know if this is actually a significant improvement in real security over more basic forms of two-factor authentication.
Smart cards are 1/4 the cost of YubiKey, readily available from multiple vendors, standards based and have been in production use for well over a decade. Nice to see companies like Google rediscovering and adopting poor implementations of old existing technology.
Direct USB interface is far inferior from a security POV for smart card application because an unguarded USB dongle can exploit the attack surface of an elephant standing on a giant turtle standing on a 747.
Covert replacement of USB devices is a massive and very much unnecessary attack vector for total system compromise vs smart card. Exposing USB ports to end users in a secure environment is a completely idiotic idea.
Everyone in our shop has used client certs for years and we are only a little shit operation with a few dozen people. It costs nothing to implement and offers substantially the same "phishing" protections.
Personally I don't buy or understand the threat modeling behind Google PR statements.
If Google lacks a trustworthy internal means of communications and employees were previously being suckered into giving an attacker their credentials then certainly an attacker would also be able to get a substantially similar number of users to install malware that could be leveraged to effectively defeat benefits of hardware keys.
Would very much love to see statistics on Google employees being subject of social engineering prior to deployment of 2FA.
Problems can also be avoided by using secure authentication protocols and training users only to enter password into system provided dialogues protecting end users from having their credentials stolen even if they mistakenly attempt to login to an attackers system.
Entering clear text into adhoc web forms is a good example of insecure authentication.
TLS level PAKE such as TLS-SRP is an example of a secure authentication which does not place user credentials at risk of compromise even if the user is being stupid.
I use a Yubikey for access control for my personal laptop. My experience:
* I bought one spare just in case I lose the main key. This is recommended by Yubi.
* I got another spare just in case either of the two primary keys blows it's cookies. This is recommended by me because I used to do firmware for rotating mass storage devices. Hardware goes bad.
* All three must be configured identically with the Yubi Personalization Tool. Relatively easy.
* Now I've got 3 keys, none of which can fall into enemy hands. This is more work, worry and responsibility than a single key, but I think the pluses outweigh the minuses.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
Does it have a proper hardware key store? I would feel less safe using a key stored in memory which can be read out via software and cloned.
They recommend you backup the private key, so it cannot be considered secure like a proper u2f key.
No. The article is, " Google is foolish enough to believe that they have not been phished. This mindset is the most dangerous and is a sure fire way of leading to a big cover up when they realize how big a mistake they made. And with big cover ups almost always comes criminal actions and the ruining of good peoples lives that try to expose the truth.
Time will tell. And in my life it tells me that these people will soon be eating a fowl dinner that isn't chicken or turkey.
Maybe I'm being totally clueless here, but I'm sure some of you more well versed in system security than I am can provide insight.
What I don't get about 2 factor is, it seems like only the "second step" provides the true security? I mean, considering you already have the additional hassle of having to enter a randomly generated key code, produced on your piece of hardware you're carrying around, why even bother with the first part; the traditional password, anymore?
Passwords are regularly getting hacked or stolen from databases containing them, so they're failing at serving as good security. So why even bother with them anymore? Wouldn't it be just as secure, really, to log in as a user and immediately ask for that randomized, rotating code that the owner's device displays for them to enter?
Challenge accepted.
> AT LEAST one person in EVERY department clicked the link, except
> software development. That was enough. They got in to multiple
> servers and were able to harvest some passwords from memory.
If "clicking a link" results in bad guys getting into multiple servers, there needs to be mass firings in IT.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
Well, they recommend that when you build the software, you create and install the key into the software (presumably on a secure, non-networked machine, like you use to create your certs) and so even if the chip is fully secure (it's not) you could still have a backup of the key.
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
No, though you can set flags on the build to disable debug readout of the software/data.
It's no Yubikey, but it's $12 in quantity 5, and it's way safer than no U2F device at all...
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/