Google Takes On Yubico and Builds Its Own Hardware Security Keys

Discussion in 'HardForum Tech News' started by Megalith, Jul 25, 2018.

  1. Megalith

    Megalith 24-bit/48kHz Staff Member

    Messages:
    13,004
    Joined:
    Aug 20, 2006
    Following the company’s glowing endorsement of hardware security keys, which reportedly neutralized employee phishing, Google will be selling its own with custom firmware. The “Titan Security Key” will come in two versions: one with Bluetooth support for mobile devices, and one that plugs directly into your computer’s USB port. It’ll be available on the Google Store, though no pricing has been announced.

    Yubico founder and CEO Stina Ehrensvard throws a bit of shade on Google’s decision to support Bluetooth. “Google’s offering includes a Bluetooth (BLE) capable key. While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability.
     
  2. EricZBA

    EricZBA n00b

    Messages:
    24
    Joined:
    Dec 24, 2008
    What happens when Google inevitably decides to cancel the project? Keys stop working?
     
  3. BSmith

    BSmith [H]ard|Gawd

    Messages:
    1,324
    Joined:
    Nov 9, 2017
    I get it,...brilliant! When the Google cars come around for photos they can quietly access your computer and take whatever they want. Cool!

    I bet they sell a million-million of em!
     
  4. whatevs

    whatevs Limp Gawd

    Messages:
    199
    Joined:
    Jun 23, 2017
    I would get one if it was directly from Googles store, or same deal from Microsoft or Apple.

    Buying a security key, from Amazon with its constant counterfeit problems, when the key costs pennies to produce, and its a USB device, the worst possible interface for security... That's nuts.

    It would sure be nice, to be able to lose my smartphone and not be that huge a deal.
     
  5. ArFLaserBear

    ArFLaserBear n00b

    Messages:
    35
    Joined:
    Jun 30, 2017
    Not entirely sure but I've seen some projects of unlocking phones using Yubikey, they have a bluetooth and NFC version so you can use it the same/ish way as the USB version for 2FA on phones and apps...
     
  6. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,479
    Joined:
    May 14, 2008
    If you buy a Yubikey they come with unique serial numbers that yubikey verifies for you, that is not particularly easy to counterfeit.
     
  7. whatevs

    whatevs Limp Gawd

    Messages:
    199
    Joined:
    Jun 23, 2017
    No thanks, YubiKey's OTP implementation included part of serial number before. I don't trust them one bit. They smell of what we found out about RSA a while back. I'd rather dance with Apple/Microsoft/Google, if i have to take a broken weakened implementation. YubiKey is a tiny nobody.
     
  8. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,479
    Joined:
    May 14, 2008
    Lol, okay. You can do what you want, but all three of the companies you mentioned use YubiKey.
     
  9. whatevs

    whatevs Limp Gawd

    Messages:
    199
    Joined:
    Jun 23, 2017
    Their older Yubi keys had a unique number included as the first part of every single OTP sent out. What security company would do that? I keep saying YubiKey, but its actually YubiCo. They are no privacy/security angels.
     
  10. RanceJustice

    RanceJustice [H]ardness Supreme

    Messages:
    5,985
    Joined:
    Jun 9, 2003
    Not that Yubico hasn't made mistakes, but they've at least seemingly kept to open standards and open source more than most. They also manufactured in the EU at least in part (or used to be?). With Google I'm concerned about a number of things.

    First, that they won't try and push the "Google friendly" implementation of whatever tech they use on the software side. I can remember for awhile FIDO U2F for instance was basically tested on Chrome but did NOT work with Firefox etc. Now there's FIDO2 and I don't think even the Yubikeys can do that one except for the one specfically and only FIDO viable, as compared to the FIDO U2F which is available on multiple ones. Google also started out with Google Authenticator, the Android app that implements standard HOTP/TOTP, open source. However, they soon closed it down and made it proprietary after a certain version; many both open and proprietary authenticators are based on the last FLOSS version from several years back. Though its also a concern with Yubico since it is partially a US company, with Google the potential for the whole thing to be made vulnerable or backdoored at US government request seems more pressing. Assuming they don't compromise the underlying cryptography from the start, it could be something added to later versions and/or firmware updates (if allowed), to prepare for / in reaction to the next time there's an "event" whereas we "just have to get the info from the bad people".

    For a variety of reasons I'm not sure that it is worth handing over yet another part of our data and security apparatus to Google is a good idea. How it stacks up to Yubico these days however is yet to be seen. Perhaps what we really needs is a 3rd party security key company (perhaps ideally a worker-owned co-op or foundation), using latest fully open cryptography tech w/standards and options for 2FA, OpenPGP and much more, , with open source configuration tools/tech to select what "slots" are needed, with both manufacturing and business headquartering in a "safer' country with more privacy protection (ie outside the 14 Eyes nations, China, Russia, Israel etc). I wonder....
     
  11. whatevs

    whatevs Limp Gawd

    Messages:
    199
    Joined:
    Jun 23, 2017
    My assumption is that the devices, themselves, are 100% back doored and vulnerable. But the actual convenience they offer, to make losing/changing phones a lot less of a hassle... I'd rather get it from a big company like Google or Microsoft.

    You know last i checked, several years back, the actual device that made the keys, was from someone else. Yubico is value added company, the keys are not its core competency anyway.
     
  12. DrEvil

    DrEvil n00b

    Messages:
    1
    Joined:
    Jul 26, 2018
    I both visited and interviewed with Yubico. For the Yubikey devices sold in North America, they claimed that they are only stamped/coded here before going out to customers, or the "blanks" are stamped/coded by the customer themselves. Besides their Palo Alto office where I saw them coding keys, they have a facility in the East Bay that fabricates the keys as well. Depending on the volume of keys needed by a mid-size/enterprise customer, the coding machine to code the "blanks" can be part of the deal is how I understand it.
     
    whatevs likes this.
  13. whatevs

    whatevs Limp Gawd

    Messages:
    199
    Joined:
    Jun 23, 2017
    All in the US. That guarantees it's 100% backdoored, every purchase immediately registered and notifications sent out. Encryption is a munition after all.
     
  14. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,479
    Joined:
    May 14, 2008
    You make lots of assumptions and your assumptions are incorrect. Customers can actually key their own devices. There are numerous methods for Yubikeys now as well, they aren't all OTP.
     
  15. whatevs

    whatevs Limp Gawd

    Messages:
    199
    Joined:
    Jun 23, 2017
    I actually never assumed anything you just said, nor did any of my comments actually infer that. Easy to make a witty remark when you just make shit up. Internet clap for you.

    Also, when i was looking at Yubikeys, way back when(and even bought one), it wasn't for the OTP feature. You don't even know what you are talking about. Troll harder buddy.


    edit: to be clear, i wasnt interested in the OTP feature at all. That's why when i received the device and was going through the other features and saw how the OTP was configured, that i threw the device in the trash.
     
  16. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,479
    Joined:
    May 14, 2008
    I think you need to rethink who the troll is, where to start, okay let's just start with each of your posts.

    Here you stat off by mentioning OTP and only OTP. You also mention something that isn't the only way to use the device, nor the current or approved method. Also as far as privacy and security angels, they literally give a number of ways you can keep all the information yourself, so yes, actually they are.

    Here you start with your "assumptions". You say they are 100% back doored and vulnerable. That also is not true. Yubico was behind the technology of how the keys were made and how they function. They key is their core competency.

    Actually they aren't all made in the US, they are made in Sweden as well. Also, the keys used for them can be provided by the customer. Neither Yubikey nor any other company has to be involved with the keys encryption or function. It is developed with open standards so that you can create your own workflows and process for how the key works with your technology.

    Here we are again with OTP...as if that is all the device does or that it has to use OTP, it does not. You also talk about weakened implementation, what implementation? The implementation is up to the customer.

    You are the one that is trolling. You give a lot of misinformation about Yubikey and paint a false picture. It does not seem you even understand what the Yubikey is or how they function. You throw one in the trash just because of how the OTP was configured out of the box, something that is easily changed. You say you looked into it for something else, and yet it seems you didn't even try it or research how to use the different functionalities.

    Did you even bother trying to call them? You also say they are a tiny nobody, but that also isn't true. They are heavily used in the industry.
     
  17. Jagger100

    Jagger100 [H]ardness Supreme

    Messages:
    7,471
    Joined:
    Oct 31, 2004
    I don't need to give Google more data to mine. From what I understand the site that permits this needs to access a server which would be owned by Google. Not only does Google learn when and where I'm logging in, but whatever additional information Google requires from the company as price of admission to their service.
     
  18. whatevs

    whatevs Limp Gawd

    Messages:
    199
    Joined:
    Jun 23, 2017
    It makes more sense that your are a paid shill, if not, it's 2018, get your head out of the sand.

    You just keep pushing out PR, "You throw one in the trash just because of how the OTP was configured out of the box, something that is easily changed." It wasn't. The unique serial number was a hardcoded feature. Again, you don't know what you are talking about. So maybe that just puts you in fanboy/troll camp again.
     
  19. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,479
    Joined:
    May 14, 2008
    Why because I present facts while you keep spouting unsubstantiated nonsense? You have literally presented zero evidence for anything you have said. You made assumptions and then tried to say you didn't, so I directly quoted you.

    Then you say I don't know what I am talking about, but you don't even seem to understand the point of the Yubikeys, or even how they work. You can't even explain what you were intending to use them for or what you were researching them for. You talk about hardcoded serial codes used for OTP, but you don't have to use OTP, nor did you have to necessarily use those hardcoded serial numbers. In addition, they changed that. Like any company they learn and adapt, yet you keep attacking them using very early products... That is like saying all Linux versions are shit, because back when they started they had far less security and didn't require complex passwords or two factor authentication....

    Like I said, zero evidence backing up anything you have said.

    Stop trolling.
     
  20. whatevs

    whatevs Limp Gawd

    Messages:
    199
    Joined:
    Jun 23, 2017
    Ok, its proven, you're internet keyboard warrior. Dude, back then, the serial number in the OTP codes was a hardcoded/nonoptional feature. After folks complained(which is how i found out), it was changed. But you physically needed a new key to do that.

    No hard feelings, i don't know why you are so triggered, but seriously, if you learn anything, don't champion stuff you haven't dealt with first hand.
     
  21. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,479
    Joined:
    May 14, 2008
    It actually wasn't a non-optional feature. This is the problem with your rationale, you don't fundamentally understand the makeup of the Yubikey and how it works. The workflows and implementations can be setup to bypass that if you want and use other things. It is only the out-of-the-box feature that had that as non-optional. The Yubikey uses open-source software and implementations so you can tailor it to your environment. Also you use that as a reason why Yubikey apparently can't be trusted today, even though you admit they changed it.

    But hey, you are the expert once right? Because you bought one, saw what some people were saying and didn't even try anything else. I mean you don't have to take my word for it though, you could consult Google's research using Yubikey.

    Also this wasn't just Yubikey, there are other competitors on the market, but Yubikey currently has the best implementations and the best design and framework to use.
     
    Last edited: Jul 30, 2018