Google Discovers That Old Keys Are Better Than New Keys for Security

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
22,060
Google has discovered that the key to eliminating successful phishing attempts at the company is to give employees physical security keys. The new USB devices make security easy as they use the open source Universal 2nd Factor (U2F) and only require a simple press of a button to authenticate a supported website. In the future the Web Authentication API will eliminate the need for users to type in a password. Here are some of the devices for sale at Yubico.

The most common forms of 2FA require the user to supplement a password with a one-time code sent to their mobile device via text message or an app. Indeed, prior to 2017 Google employees also relied on one-time codes generated by a mobile app — Google Authenticator.

In contrast, a Security Key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers.
 
I absolutely hate 2FA. Cannot stand it. Drive me nuts.

I mean, I'm OK with it being used to verify password reset attempts, and email changes and stuff like that, but not every time you log in.

The USB key thing is old school and cool. I have never used that.

Personally I keep things safe by using randomly generated long passwords stored in my Keepass database, which I can access via SSH, stored on my server in my basement from anywhere I am. It seems to do the trick. Except with a few annoying webpages that block copy and paste for passwords. I guess they are trying to make people smart about passwords by doing that, but it's really inhibiting my efforts rather than helping them.
 
This is not magic, everything starts somewhere. No one has said these devices have a magical RNG unicorn living inside. Likely everything else, they have an algorithm that uses a big truly random number as a seed, given in the factory, as their basis.

Google is a big company, they likely use this keys per task or responsibility. Not how it is pushed on consumer, to be a master key/single point of failure for everything the person does...

When they dont spell out any of the little details,... Similar to Cloud Flairs SecureDNS push. They could clearly spell out everything, but they intentionally provide little information on the website besides PR fluff.

I'll stick with MS's authenticator app's verification popup. Much easier on me. If the device is only for convenience after all.
 
In a few years Google will no doubt find anal probes work even better and adopt a strategy to convince people of its merits. I knows it 'cause I seen it. Sticks so big I can't lose them, see?
 
In a few years Google will no doubt find anal probes work even better and adopt a strategy to convince people of its merits. I knows it 'cause I seen it. Sticks so big I can't lose them, see?


I feel like there's an opportunity to insert a [H]ard joke here...
 
This is not magic, everything starts somewhere. No one has said these devices have a magical RNG unicorn living inside. Likely everything else, they have an algorithm that uses a big truly random number as a seed, given in the factory, as their basis.

Google is a big company, they likely use this keys per task or responsibility. Not how it is pushed on consumer, to be a master key/single point of failure for everything the person does...

When they dont spell out any of the little details,... Similar to Cloud Flairs SecureDNS push. They could clearly spell out everything, but they intentionally provide little information on the website besides PR fluff.

I'll stick with MS's authenticator app's verification popup. Much easier on me. If the device is only for convenience after all.

Eh? No its not magic, its pretty standard public key crypto and no there isn't a single point of failure. U2F is just a standardized way to do it. Each "KEY" contains a RNG and storage and generates then stores a public/private key pair for each website you setup. Those key pairs can be uploaded and downloaded off many of the U2F devices.
 
I feel like there's an opportunity to insert a [H]ard joke here...

I might have a clue what you're getting on...

3de83fbe-571b-4597-9f43-90f291af3562_screenshot.jpg
 
Eh? No its not magic, its pretty standard public key crypto and no there isn't a single point of failure. U2F is just a standardized way to do it. Each "KEY" contains a RNG and storage and generates then stores a public/private key pair for each website you setup. Those key pairs can be uploaded and downloaded off many of the U2F devices.

Like i said and you just said "Each "KEY" contains a RNG and storage", that RNG is not a magic unicorn. Repeat, they do not have a magic unicorn in the device generating truly unique random numbers. They use an algorithm. It's seed is set at factory. Maybe for Google, they get to set it themselves in their own facilities with custom equipment.

Either the physical RNG implementation or it's seed are the weak point, when 3 letter agencies are involved. So it really is not better than just using a good 2FA app on a smartphone, like Microsoft's, though Google did play catch up a year or two after MS.

To me this is perfect solution for Google to push to keep government out of their phone. The key is a physical device that government can subpoena and they get access to not only one account but everything under the sun, if you use it for everything. Also, much easier for any government to reroute the purchase order of anyone they deem of interest and give them an insecure key.

Might as well just keep using the very convenient app on my phone that pops up an Accept/Deny as my form of 2FA.


The reason public key encryption works is because you privately create your own secret key. You trust your Intel CPU. Not some cheap device off the internet. That literally costs pennies to produce. Puh-lease.
 
Like i said and you just said "Each "KEY" contains a RNG and storage", that RNG is not a magic unicorn. Repeat, they do not have a magic unicorn in the device generating truly unique random numbers. They use an algorithm. It's seed is set at factory. Maybe for Google, they get to set it themselves in their own facilities with custom equipment.

All key pairs can be loaded by the user using any RNG they desire.

Either the physical RNG implementation or it's seed are the weak point, when 3 letter agencies are involved. So it really is not better than just using a good 2FA app on a smartphone, like Microsoft's, though Google did play catch up a year or two after MS.

Its rather significant orders of magnitude more difficult to crack U2F than TOTP.

To me this is perfect solution for Google to push to keep government out of their phone. The key is a physical device that government can subpoena and they get access to not only one account but everything under the sun, if you use it for everything. Also, much easier for any government to reroute the purchase order of anyone they deem of interest and give them an insecure key.

If you are worried that a TLA is on your butt, you have bigger problems to worry about. something something classic XKCD something something....

Might as well just keep using the very convenient app on my phone that pops up an Accept/Deny as my form of 2FA.

Which are less secure and have proof of concept exploits and cracks.

The reason public key encryption works is because you privately create your own secret key. You trust your Intel CPU. Not some cheap device off the internet. That literally costs pennies to produce. Puh-lease.

And yet, you are wanting to use TOTP solutions that don't do any of that and have a shared secret...
 
Works great til you forget your key at home, or on the bus, or on the plane, or just accidentally drop it, or the flash memory inside dies, etc
 
Like i said and you just said "Each "KEY" contains a RNG and storage", that RNG is not a magic unicorn. Repeat, they do not have a magic unicorn in the device generating truly unique random numbers. They use an algorithm. It's seed is set at factory. Maybe for Google, they get to set it themselves in their own facilities with custom equipment.

Either the physical RNG implementation or it's seed are the weak point, when 3 letter agencies are involved. So it really is not better than just using a good 2FA app on a smartphone, like Microsoft's, though Google did play catch up a year or two after MS.

To me this is perfect solution for Google to push to keep government out of their phone. The key is a physical device that government can subpoena and they get access to not only one account but everything under the sun, if you use it for everything. Also, much easier for any government to reroute the purchase order of anyone they deem of interest and give them an insecure key.

Might as well just keep using the very convenient app on my phone that pops up an Accept/Deny as my form of 2FA.


The reason public key encryption works is because you privately create your own secret key. You trust your Intel CPU. Not some cheap device off the internet. That literally costs pennies to produce. Puh-lease.
I thought it was like Yubikey, just hundreds of 512 character one-time passwords generated and uploaded to the device or some such approach. I don't think generation is onboard. Maybe the Google knockoff is. idk.
 
I can easily copy those.


i cant on my car anymore. while there is a physical key inside the FOB, it only opens the door. Need the FOB working to actually start the car. Which is a real pain when it decides to die on you while your at the gas station, on a cold morning, just trying to get to work... :mad:
 
I absolutely hate 2FA. Cannot stand it. Drive me nuts.

I mean, I'm OK with it being used to verify password reset attempts, and email changes and stuff like that, but not every time you log in.

The USB key thing is old school and cool. I have never used that.

Personally I keep things safe by using randomly generated long passwords stored in my Keepass database, which I can access via SSH, stored on my server in my basement from anywhere I am. It seems to do the trick. Except with a few annoying webpages that block copy and paste for passwords. I guess they are trying to make people smart about passwords by doing that, but it's really inhibiting my efforts rather than helping them.


Yea. I use fossamail for imap emailing on pc and gmail for my mobile phone. Lose your phone or if it happens to die, without backup codes you're fucked. Lose the 2fa key usb thingy, your fucked. Also cannot use 2fa usb thingy on a smartphone lol.
 
Yea. I use fossamail for imap emailing on pc and gmail for my mobile phone. Lose your phone or if it happens to die, without backup codes you're fucked. Lose the 2fa key usb thingy, your fucked. Also cannot use 2fa usb thingy on a smartphone lol.

Um, Ubikeys can be used with mobile, they make versions that work over bluetooth.
 
Back
Top