Welcome to WebmasterWorld Guest from 3.80.6.254

Forum Moderators: open

Message Too Old, No Replies

Google Strengthens Two-Step Verification Of Google Accounts With Secure USB Key

     
4:12 pm on Oct 21, 2014 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:26441
votes: 1067


If you're one of those people that is paranoid about security, or if you really want to help protect your Google Accounts to a greater extent, Google has now added "Security Key", which is a physical USB second factor protection.

It incorporates the open Universal 2nd Factor (U2F) protocol from FIDO Alliance. According to google, that now allows other websites with login systems can operate FIDO U2F.

More information on this additional security for Google Accounts is here. [googleonlinesecurity.blogspot.com]
5:44 pm on Oct 21, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member ogletree is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 14, 2003
posts: 4320
votes: 42


Do they just fit in your USB drive because they don't look like they are USB?
7:19 pm on Oct 21, 2014 (gmt 0)

Moderator

WebmasterWorld Administrator webwork is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:June 2, 2003
posts:8055
votes: 101


I'm confused. I just searched for "U2F" and that hasn't helped much.

Does any step in this process require the use of a USB flash drive / memory stick?

Aren't ALL current USB flash drives now inherently insecure AND non-patchable?

[pcworld.com ]
10:15 pm on Oct 21, 2014 (gmt 0)

Moderator from US 

WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2000
posts:12399
votes: 409


In the blogspot article linked to above, in the second paragraph...

Today we're adding even stronger protection for particularly security-sensitive individuals. Security Key [support.google.com] is a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google. Rather than typing a code, just insert Security Key into your computer's USB port and tap it when prompted in Chrome. When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished.

...the phrase "security key" links to this Google Support article...

Using Security Key for 2-Step Verification
https://support.google.com/accounts/answer/6103523 [support.google.com]

Down at the bottom of the Support page, in the last paragraph, there's a link to an Amazon page that sells the keys...

How do I get a Security Key?
You can use any device compliant with the open standard called "FIDO Universal 2nd Factor (U2F)". Look for this logo *fido*.

You can find Security Key (FIDO U2F) devices available for sale here.

"available for sale here" links to an Amazon page currently offering four choices, ranging in price from $5.99 to $60.00. Not sure why there's such a difference in price. Maybe the cheap ones fail more often. The devices (two of which are described as "FIDO U2F Security Key") appear to be smaller and more easily lost than a standard USB stick, but not (yet) the kind of thing like an iPhone that someone would rob you for. ;)

Currently don't have time to check out the standard. I gather that if you're not on a mobile phone and are running Chrome, these sticks might be good choices.

I know that with safe-deposit box keys, I always like to have two keys. Not sure in this case that you can get duplicates. I suspect they're secure because they're not rewritable.
3:29 pm on Oct 24, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8639
votes: 284


Interesting YubiKey has had this for years. I wonder why they didn't just use that as it has a long and AFAIK good security history.

For people saying "BadUSB" the Yubikey at least is a piece of embedded software that locks down what the key can do. You can't put a file on a Yubikey. I assume this is the same.

The Achilles heel in these solutions for me is that with the poor cell phone reception in my area (and thus the inability to receive text messages with verification codes) and the lack of a USB slot on cell phones and tablets, I am always worried about getting locked out of those devices.

Yubikey has a key that works wirelessly but only with a tiny number of phones that support the standard.

That's my big obstacle to 2-factor authentication
3:37 pm on Oct 24, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8639
votes: 284


ogletree - you have to fold it to make it the right form factor

[sk.plug-up.com...]
5:59 pm on Oct 25, 2014 (gmt 0)

Moderator from US 

WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2000
posts:12399
votes: 409


...you have to fold it to make it the right form factor

[sk.plug-up.com...]

(Solid, rugged construction of the Key guarantees secure and trouble-free access
to your valuable data for the life of your online accounts.)