Slashdot Mirror

← Back to Stories (view on slashdot.org)

None of Google's 85,000 Employees Have Been Phished in More Than a Year After Company Required Them to Use Physical Security Keys For 2FA (krebsonsecurity.com)

Posted by msmash on from the proving-useful dept.

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity. From the report: Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device). A Google spokesperson said Security Keys now form the basis of all account access at Google. "We have had no reported or confirmed account takeovers since implementing security keys at Google," the spokesperson said. "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time." The basic idea behind two-factor authentication is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor.

24 of 126 comments (clear)

  1. Wow a whole year by Anonymous Coward · · Score: 4, Insightful

    I've never fallen for a phishing email with or without 2fa.

    If Google's getting kudos after a year, I want a goddamned payout.

    1. Re:Wow a whole year by Aighearach · · Score: 3, Insightful

      My wife has never fallen for a phishing email either; she uses two factors. One, she got an email she doesn't understand. Two, she asks me to deal with it.

      Here is the thing, here is why this is huge news for nerds: Google never had to call me and ask. They didn't need to hire 85,000 nerds to protect 85,000 other employees. Their non-nerd employees were able to avoid phishing attacks with this system, on their own.

      And you can have whatever payout you want; I say reward yourself and take yourself outside for an activity.

    2. Re:Wow a whole year by Actually,+I+do+RTFA · · Score: 4, Insightful

      Google has 85,000 employees. For a phishing attack to work, it has to work on the dumbest employee.

      Since this implies that there were successful phishing attacks more than a year ago, congratulations on being better at security than the person in Google who gives the least shits.

      --
      Your ad here. Ask me how!
    3. Re:Wow a whole year by Jumperalex · · Score: 2

      Its also Google. They are more likely to be spearphished than anonymous cowards ;-)

      So they get more of them and better ones.

      --
      If you can't be good, be good at it!
    4. Re:Wow a whole year by ShanghaiBill · · Score: 2

      But why does the key work better than authenticating with a mobile phone?

      Both are "something you have" so what's the difference? Of course the phone is "something you already have" while the key is "something you have to buy".

  2. Comment removed by account_deleted · · Score: 3, Funny

    Comment removed based on user account deletion

  3. 2FA finally by supernova87a · · Score: 5, Interesting

    It was this article that finally made me switch from SMS verification codes for my personal email (gmail): Wired article

    And I went to Google Authenticator only after I figured out how to put the same code on multiple devices and assure myself that I had enough backup hard copies of keys that I would not likely get locked out permanently should I ever lose my phone, etc.

    The U2F works great for corporate, etc. where you have a support team who can help you in case you lose it or forget anything. They can make you come in person and prove that you are you.

    The problem with implementing this (without enough backups) for personal is that if you ever lose all of your key info or code generator, you are absolutely fucked because there is no way to prove who you are to Google and have them reset your password / security. So you've got to have multiple backups in different places should your house ever burn down, etc.

    1. Re:2FA finally by bobstreo · · Score: 3, Interesting

      JWZ had a writeup about SMS, Google Auth and OTP

      https://www.jwz.org/blog/2018/...

    2. Re:2FA finally by swillden · · Score: 3, Informative

      The problem with implementing this (without enough backups) for personal is that if you ever lose all of your key info or code generator, you are absolutely fucked because there is no way to prove who you are to Google and have them reset your password / security. So you've got to have multiple backups in different places should your house ever burn down, etc.

      You can use multiple U2Fs, and store one (or more) offsite. I'd recommend a set of backup codes offsite as well, where you won't be tempted to use them (to make phishing you harder), but where you can get them if needed.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    3. Re:2FA finally by swillden · · Score: 4, Interesting

      JWZ had a writeup about SMS, Google Auth and OTP

      https://www.jwz.org/blog/2018/...

      Using a TOTP solution like 1password or Google Authenticator is better than SMS, because unlike SMS it's very difficult to hijack. But it's still not as good as security keys (AKA FIDO U2F) as described in this article, because it can be phished. If you're certain that you could never, under any circumstances, be social-engineered into giving up your TOTP code then you're probably wrong about how gullible you are, because there are some really talented social engineers out there. But with U2F, you just can't do it.

      Also, U2F is much more convenient. You have to buy a USB dongle (or three) and stick one in your USB port, but then when you have to authenticate all you have to do is touch it. So much more convenient than looking at a number and typing it in. I work for Google, and the various systems I use require me to authenticate about a dozen times every day -- but often the authentication required is U2F only (because I already authenticated recently with my password) so it's very low-effort. The same would not be true if TOTP were required.

      Do keep in mind if you go U2F only, though, that losing or destroying your security key means you're locked out of your account and the only available recovery process will be intentionally tortuous and may fail. So use multiple security keys, and I'd suggest keeping a set of backup codes in a safe place that is also quite inconvenient for you to access (making it hard for anyone to social engineer you into giving them a code).

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    4. Re:2FA finally by nine-times · · Score: 2

      The problem with implementing this (without enough backups) for personal is that if you ever lose all of your key info or code generator, you are absolutely fucked

      They just really need to come up with a coherent standard and get everyone onboard. Because SMS kind of made sense, until you find out that SMS is totally insecure. Then Google Authenticator (and similar OTP) comes out, which... really isn't half as good as people make it out to be. It's really just a second password, but stored and transmitted in a different way. That is, as far as I understand, the difference is that instead of sending the password over the internet and then storing a hash on the website, you store the password on the website and transmit part of the hash.

      But it kind of works, except sometimes you still need to share an account with someone, and it doesn't work for that. And if you lose the cell phone it's on, it's a huge pain. So companies get smart, and they start allowing you to sync the OTP token or include it in your password manager, which makes it much more convenient-- but then compromises the security benefits you were trying for in the first place.

      And then they have these USB dongles, which are kind of neat, but as you mention, are a pain if you lose them. And if you have the USB-A model and you have a device that only has USB-C ports, that's annoying. Same thing if you get the USB-C model and only have a machine with USB-A ports. Or if you have a phone with no USB ports, I guess that they have those wireless ones. And then some sites support some of these things and not others. A lot of sites support none of these things. And in any case, you're still stuck managing a bunch of passwords.

      It seems like we should be able to do something better than that. Why don't we do something where each user gets a password-protected private key, and websites all get a public key, and you verify your identity that way? You'd still have a password to protect things, but you'd just need one. If websites get hacked, there's no password to be compromised. We wouldn't need elaborate password managers or SSO, just methods of keeping the certificate safe, secure, and available.

      Ok, I'm sure that's not the best solution, but I'm not a security genius. Let some security genius figure out how we can make this stuff work that's not absurdly stupid.

    5. Re:2FA finally by swillden · · Score: 3, Informative

      I think that for most people, the combination of relative usability and risk leads to the choice of using TOTP on your phone, not the extent of a hardware dongle / key.

      I disagree. I think the security key is the most usable solution, especially if you get the nano-sized keys that fit almost entirely into the USB port so you can just leave them plugged in all the time. This does mean that if you lose your laptop you lose the security key as well, but (a) you can revoke the key, (b) the most important risks are from remote attackers and (c) if a sophisticated attacker gets your laptop you're probably SoL anyway.

      The only real argument against U2F, IMO, is cost. You have to buy the security keys.

      For some service where you have no other way to prove yourself, losing the hardware is just too risky. For me at least.

      That problem is orthogonal to the question of what type of 2FA to use. If you only use TOTP on your phone, then losing your phone (or dropping it in the toilet, etc.) leaves you without a way to recover. With Google's services, you can use U2F *and* TOTP *and* SMS *and* backup codes if you want. Of course, the more you use the more opportunities you give an attacker, so there's a tradeoff.

      IMO, the best solution is a nano U2F security key which you leave in a USB port of each computer you use, plus another (larger) U2F security key on your key ring and one more stored in a safe place, along with a printed list of backup codes. This is not the cheapest solution, however, since if you have a laptop and a desktop it means you need four U2F keys.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    6. Re:2FA finally by stikves · · Score: 3, Informative

      Actually you can have backups.

      When you enable 2FA, you'll get 10 backup codes which you can print and store offline (in a safe place).
      You can also associate more than once device for 2FA. I actually have 4 active devices on my account. (One on the keychain, another on my badge, 2 backups at home).

      Even if you were to lose all of them, it would still be possible to recover your account, however would of course require some effort.

  4. Google's 2FA defaults are annoying by DigitAl56K · · Score: 3, Interesting

    Every time I log into a new box, the checkbox to remember this computer (and thus bypass 2FA in future) is pre-checked when inserting my hardware token.

    Yes, signing into a machine means that to a certain degree I believe it's not already compromised. However, if I was wrong, and it was compromised, at least the hardware token should prevent password replays after 20 seconds had elapsed. Not with Google's defaults though! AFAIK there isn't even an option to change the default to unchecked if I wanted to.

  5. Yubico was talking about this during a Linux talk by ctilsie242 · · Score: 3, Interesting

    Earlier this summer, Yubico mentioned this as part of a conference. For something as large as Google, this is pretty notable.

    The biggest advantage the Yubikeys give is the proof there is some type of living being at the machine, via the button press. Of course, this doesn't mean 100% security in the future, but it means that an attack has to be done and queued up when someone is using the machine.

  6. U2F for cheap (if you can come up with 4 friends) by rthille · · Score: 3, Informative

    This usb-connector sized ARM computer can run the U2F stack: http://tomu.im/
    At $12/each (quantity 5) they aren't the cheapest out there (Amazon has 2 for $10), but they are fully open source.

    --
    Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
  7. What happens by DarkRookie · · Score: 2

    What happens when you lose the thing?
    Also, passwords are free. Those USB 2FA are $20.

    --
    The millennial that doesn't like most of the stuff designed for millennials.
  8. Best backup solution... by sweet+'n+sour · · Score: 3, Funny

    The problem with implementing this (without enough backups) for personal is that if you ever lose all of your key info or code generator, you are absolutely fucked because there is no way to prove who you are to Google and have them reset your password / security. So you've got to have multiple backups in different places should your house ever burn down, etc.

    QC tattoos make a great long-term backup solution. Preferably under hair -- on a pet.

  9. How many were scammed before 2FA? by networkzombie · · Score: 2

    In other news, my car doors have not opened since I welded them shut.

  10. Absolutely nothing to do with the security keys by holophrastic · · Score: 2

    "...unless they also hack or possess that second factor" . . or socially engineer a user in a dozen ways.

    Google's success here has absolutely nothing to do with the security keys. This kind of success has everything to do with being different.

    Around here, we call this "the club" scenario. For those not in the know, there is (was?) a car security device called "the club" that locked your car's steering wheel, making it physically impossible (inconvenient?) to drive. Was it difficult for a car-thief to disable the club? Not really. Was it easier for a thief to steal a different car in the parking lot? Absolutely.

    To forego the another-car-analogy, we can also look at the reason that left-handed sports players are always statistically better -- it's simply because most players aren't left-handed, which means that most players encounter fewer lefties, and hence are less experienced against lefties.

    In either case, it's called a dominant minority.

    Google's not successful here because they have chosen to use security keys. Google is successful here because they spent a lot of time and money and training and effort and co-ordination to do something that most people aren't currently doing.

    Security keys are the minority. Hence, they are more troublesome targets.

    Wait a few years.

    The win here is "something new". The moment it isn't new, it won't be any more secure than anything else.

  11. But how many thousands of hours were lost? by greenwow · · Score: 4, Interesting

    We started requiring a YubiKey USB key, and hours worked by people from home dropped over 20%! YubiKey claims to be FIPS compliant which is what our SSAE 16 requirements require. Security is important, but blocking people working extra hours is a huge cost.

  12. Is this a physical physical 2fa or potential softt by AbRASiON · · Score: 2

    I use authy (Google authenticator, improved edition) and just load all my soft tokens in there. Very good program.

    I have even followed a very frustrating process to load in my PayPal authenticator in to it.

    https://medium.com/@dubistkomi... (really recommend that for PayPal users)

    Screw SMS authentication.

  13. Gotchas by mnemotronic · · Score: 2

    I use a Yubikey for access control for my personal laptop. My experience:
    * I bought one spare just in case I lose the main key. This is recommended by Yubi.
    * I got another spare just in case either of the two primary keys blows it's cookies. This is recommended by me because I used to do firmware for rotating mass storage devices. Hardware goes bad.
    * All three must be configured identically with the Yubi Personalization Tool. Relatively easy.
    * Now I've got 3 keys, none of which can fall into enemy hands. This is more work, worry and responsibility than a single key, but I think the pluses outweigh the minuses.

    --
    The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
  14. Speaking of 2FA .... by King_TJ · · Score: 3, Interesting

    Maybe I'm being totally clueless here, but I'm sure some of you more well versed in system security than I am can provide insight.

    What I don't get about 2 factor is, it seems like only the "second step" provides the true security? I mean, considering you already have the additional hassle of having to enter a randomly generated key code, produced on your piece of hardware you're carrying around, why even bother with the first part; the traditional password, anymore?

    Passwords are regularly getting hacked or stolen from databases containing them, so they're failing at serving as good security. So why even bother with them anymore? Wouldn't it be just as secure, really, to log in as a user and immediately ask for that randomized, rotating code that the owner's device displays for them to enter?