None of Google's 85,000 Employees Have Been Phished in More Than a Year After Company Required Them to Use Physical Security Keys For 2FA (krebsonsecurity.com)

← Back to Stories (view on slashdot.org)

None of Google's 85,000 Employees Have Been Phished in More Than a Year After Company Required Them to Use Physical Security Keys For 2FA (krebsonsecurity.com)

Posted by msmash on Monday July 23, 2018 @08:00AM from the proving-useful dept.

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity. From the report: Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device). A Google spokesperson said Security Keys now form the basis of all account access at Google. "We have had no reported or confirmed account takeovers since implementing security keys at Google," the spokesperson said. "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time." The basic idea behind two-factor authentication is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor.

7 of 126 comments (clear)

Min score:

Reason:

Sort:

2FA finally by supernova87a · 2018-07-23 08:08 · Score: 5, Interesting

It was this article that finally made me switch from SMS verification codes for my personal email (gmail): Wired article

And I went to Google Authenticator only after I figured out how to put the same code on multiple devices and assure myself that I had enough backup hard copies of keys that I would not likely get locked out permanently should I ever lose my phone, etc.

The U2F works great for corporate, etc. where you have a support team who can help you in case you lose it or forget anything. They can make you come in person and prove that you are you.

The problem with implementing this (without enough backups) for personal is that if you ever lose all of your key info or code generator, you are absolutely fucked because there is no way to prove who you are to Google and have them reset your password / security. So you've got to have multiple backups in different places should your house ever burn down, etc.
1. Re:2FA finally by bobstreo · 2018-07-23 08:13 · Score: 3, Interesting
  
  JWZ had a writeup about SMS, Google Auth and OTP
  https://www.jwz.org/blog/2018/...
2. Re:2FA finally by swillden · 2018-07-23 09:19 · Score: 4, Interesting
  
  JWZ had a writeup about SMS, Google Auth and OTP
  https://www.jwz.org/blog/2018/...
  Using a TOTP solution like 1password or Google Authenticator is better than SMS, because unlike SMS it's very difficult to hijack. But it's still not as good as security keys (AKA FIDO U2F) as described in this article, because it can be phished. If you're certain that you could never, under any circumstances, be social-engineered into giving up your TOTP code then you're probably wrong about how gullible you are, because there are some really talented social engineers out there. But with U2F, you just can't do it.
  Also, U2F is much more convenient. You have to buy a USB dongle (or three) and stick one in your USB port, but then when you have to authenticate all you have to do is touch it. So much more convenient than looking at a number and typing it in. I work for Google, and the various systems I use require me to authenticate about a dozen times every day -- but often the authentication required is U2F only (because I already authenticated recently with my password) so it's very low-effort. The same would not be true if TOTP were required.
  Do keep in mind if you go U2F only, though, that losing or destroying your security key means you're locked out of your account and the only available recovery process will be intentionally tortuous and may fail. So use multiple security keys, and I'd suggest keeping a set of backup codes in a safe place that is also quite inconvenient for you to access (making it hard for anyone to social engineer you into giving them a code).
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Google's 2FA defaults are annoying by DigitAl56K · 2018-07-23 08:09 · Score: 3, Interesting

Every time I log into a new box, the checkbox to remember this computer (and thus bypass 2FA in future) is pre-checked when inserting my hardware token.
Yes, signing into a machine means that to a certain degree I believe it's not already compromised. However, if I was wrong, and it was compromised, at least the hardware token should prevent password replays after 20 seconds had elapsed. Not with Google's defaults though! AFAIK there isn't even an option to change the default to unchecked if I wanted to.
Yubico was talking about this during a Linux talk by ctilsie242 · 2018-07-23 08:09 · Score: 3, Interesting

Earlier this summer, Yubico mentioned this as part of a conference. For something as large as Google, this is pretty notable.
The biggest advantage the Yubikeys give is the proof there is some type of living being at the machine, via the button press. Of course, this doesn't mean 100% security in the future, but it means that an attack has to be done and queued up when someone is using the machine.
But how many thousands of hours were lost? by greenwow · 2018-07-23 09:38 · Score: 4, Interesting

We started requiring a YubiKey USB key, and hours worked by people from home dropped over 20%! YubiKey claims to be FIPS compliant which is what our SSAE 16 requirements require. Security is important, but blocking people working extra hours is a huge cost.
Speaking of 2FA .... by King_TJ · 2018-07-24 01:48 · Score: 3, Interesting

Maybe I'm being totally clueless here, but I'm sure some of you more well versed in system security than I am can provide insight.
What I don't get about 2 factor is, it seems like only the "second step" provides the true security? I mean, considering you already have the additional hassle of having to enter a randomly generated key code, produced on your piece of hardware you're carrying around, why even bother with the first part; the traditional password, anymore?
Passwords are regularly getting hacked or stolen from databases containing them, so they're failing at serving as good security. So why even bother with them anymore? Wouldn't it be just as secure, really, to log in as a user and immediately ask for that randomized, rotating code that the owner's device displays for them to enter?