Slashdot Mirror
None of Google's 85,000 Employees Have Been Phished in More Than a Year After Company Required Them to Use Physical Security Keys For 2FA (krebsonsecurity.com)
Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity. From the report: Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device). A Google spokesperson said Security Keys now form the basis of all account access at Google. "We have had no reported or confirmed account takeovers since implementing security keys at Google," the spokesperson said. "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time." The basic idea behind two-factor authentication is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor.
This usb-connector sized ARM computer can run the U2F stack: http://tomu.im/
At $12/each (quantity 5) they aren't the cheapest out there (Amazon has 2 for $10), but they are fully open source.
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
The problem with implementing this (without enough backups) for personal is that if you ever lose all of your key info or code generator, you are absolutely fucked because there is no way to prove who you are to Google and have them reset your password / security. So you've got to have multiple backups in different places should your house ever burn down, etc.
You can use multiple U2Fs, and store one (or more) offsite. I'd recommend a set of backup codes offsite as well, where you won't be tempted to use them (to make phishing you harder), but where you can get them if needed.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I think that for most people, the combination of relative usability and risk leads to the choice of using TOTP on your phone, not the extent of a hardware dongle / key.
I disagree. I think the security key is the most usable solution, especially if you get the nano-sized keys that fit almost entirely into the USB port so you can just leave them plugged in all the time. This does mean that if you lose your laptop you lose the security key as well, but (a) you can revoke the key, (b) the most important risks are from remote attackers and (c) if a sophisticated attacker gets your laptop you're probably SoL anyway.
The only real argument against U2F, IMO, is cost. You have to buy the security keys.
For some service where you have no other way to prove yourself, losing the hardware is just too risky. For me at least.
That problem is orthogonal to the question of what type of 2FA to use. If you only use TOTP on your phone, then losing your phone (or dropping it in the toilet, etc.) leaves you without a way to recover. With Google's services, you can use U2F *and* TOTP *and* SMS *and* backup codes if you want. Of course, the more you use the more opportunities you give an attacker, so there's a tradeoff.
IMO, the best solution is a nano U2F security key which you leave in a USB port of each computer you use, plus another (larger) U2F security key on your key ring and one more stored in a safe place, along with a printed list of backup codes. This is not the cheapest solution, however, since if you have a laptop and a desktop it means you need four U2F keys.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Actually you can have backups.
When you enable 2FA, you'll get 10 backup codes which you can print and store offline (in a safe place).
You can also associate more than once device for 2FA. I actually have 4 active devices on my account. (One on the keychain, another on my badge, 2 backups at home).
Even if you were to lose all of them, it would still be possible to recover your account, however would of course require some effort.