
Beyond Passwords: 2FA, U2F and Google Advanced Protection - nikbackm
https://www.troyhunt.com/beyond-passwords-2fa-u2f-and-google-advanced-protection/
======
jillesvangurp
We implemented 2FA on our logins in the past year. I'm also looking at
implementing U2F. We'll probably add this once there is enough of a user base.

IMHO the UX for all this stuff is very confusing to non technical users.
People lose their phones, don't print out the codes, or simply don't
understand how this works and do silly things like trying to use codes from
the wrong account.

Since introducing 2FA , requests of people to reset their 2fa are a very
regular thing for our support people. Especially when it concerns paying
users, saying no is not really an option. So, resets are a common thing. I've
since educated our people to at least not do this blindly but obviously,
social engineering is a big problem with all this stuff. If this happens to
us, you can bet it is an extremely regular thing for basically everything that
has 2fa.

But my biggest worry with this stuff on my own accounts is somebody talking
support into resetting 2FA on my accounts. I can do everything right and still
get compromised because some underpayed support contractor falls for some
social engineering hack.

~~~
PyroLagus
It would be great if sites had an option to remove reset support for your
account permanently. One that is literally impossible to reset. But I'm not
sure how to do that without implementing complete user data encryption.

~~~
spookthesunset
> It would be great if sites had an option to remove reset support for your
> account permanently.

That falls apart pretty quick when you attach things like recurring billing to
your account. Nobody is perfect and at some point somebody, somewhere is going
to want to cancel that billing but not have access to their account _and_
checked your "never reset this account" box.

How do you deal with that very real edge case? Especially since that edge case
can easily escalate to a lawsuit depending on the account in question.

~~~
avar
You empower support to be convinced over the phone to cancel recurring
billing, but not to reset 2FA.

That way in the very worst case if support gets socially engineered into
removing the credit card details from the account the customer will get mildly
annoyed as they have to login and reset it, but their whole account won't be
taken over.

~~~
woolvalley
And then eventually the account will delete itself if you can verify billing
info as part of removing billing.

------
theli0nheart
I went through the Google Advanced Protection setup a few weeks ago. My only
advice is that if you use Android, download the Smart Lock app _before_
enabling Advanced Protection. If you don’t, you’ll get signed out of your
Google account on your phone without a way to log back in (the Play Store
won’t work without a linked Google account).

If you make this mistake, you need to then disable Advanced Protection, re-
login to your phone, then download the Smart Lock app, and THEN re-enable
Advanced Protection to get things working. Otherwise you’ll be locked out of
your phone.

~~~
anilakar
I've been looking for a new Android phone for a while now, and my primary
selection criterion has become NFC because advanced account protection uses
U2F over it. It's frustrating when otherwise decent products are unusable due
to the lack of a common feature.

~~~
blfr
I carefully chose a phone supporting NFC as well. But then installed LineageOS
and, as it turns out, it now does not pass Google's SafetyNet test and Google
Pay refuses to work.

Does the phone need to pass SafetyNet to use a Yubikey over NFC with it?

~~~
yolo1897
it work fine just use magisk to pass safety net and in Hide panel check google
pay. i'm using it everyday

------
_pdp_
Clearly an improvement but let's face it - once you loose/break the keys you
will have to go through an extensive verification process (up to 3 days
according to google) and there is no guarantee you will pass that stage
either. Let's be mindful that more security is at the expense of less
accessibility and in some places this is simply not going to cut it.

~~~
zaarn
Generally having backup keys is recommended so you don't have this single
point of failure.

~~~
alexis_fr
If you are in a foreign country and your mobile phone was stolen...

~~~
zaarn
How often does that happen? For the average user this is very very unlikely.

~~~
freehunter
The average person worries about plenty of things that are very very unlikely
to happen to them, but it still worries them enough to pick an option that is
more likely to harm them, but in a less scary way.

------
IloveHN84
Too bad someone has to use only Chrome for U2F access. I wish Firefox was able
to handle it in the same.way of Chrome's way. Not even Chromium can work with
it, at least not on Linux.

~~~
polack
You can enable u2f in Firefox if you go to about:config and toggle the
security.webauth.u2f property. Been using it for a couple of months and it's
working great.

~~~
akavel
I tried that this week, and Google still complains that "you must use Chrome"
when I tried to register it. The Yubikey works OK on other pages, also with
u2f (e.g. gitlab & github). I read somewhere that one can do the registration
on Chrome once and later use Firefox to login. But I _don 't want to install
Chrome even once_, that's why I am using Fx in the first place!... :(

~~~
tialaramex
Yup, I can confirm that it works fine once enrolled, I use Firefox for work
and they require MFA so I enrolled the FIDO token on my keychain, I don't run
Chrome.

I don't like how fragile this situation is (not being able to use my preferred
systems to enroll) so I did not enroll my non-work accounts, whereas for
systems like GitHub where Security Keys just work fine, of course both my work
and personal accounts are enrolled.

------
wst_
Can someone confirm, what is actual market coverage of U2F/Yubikey? I am
reading about it for some time now and it looks to me that only few web pages
and/or applications is actually supporting it. If that's only to get secure
access to Google or GitHub then it seems an overkill to me. Am I missing
something?

~~~
duality
[https://twofactorauth.org/](https://twofactorauth.org/) has a list of
websites which support two-factor authentication, including using hard tokens.

~~~
Yizahi
This is a nice site but people need to know that half of listed resources will
only work in Chrome and its derivatives. Firefox does support U2F for example
but Google, Facebook and others does not support U2F via FF on their
resources. This situation is at least 1-2 year old and I suspect will keep
like that for a long time.

~~~
krn
What about other Chromium-based browsers such as Brave, Vivaldi, Opera?

------
daniel-s
Why is SQRL [1] not more popular?

[1] [https://www.grc.com/sqrl/sqrl.htm](https://www.grc.com/sqrl/sqrl.htm)

~~~
cm2187
Reference source in assembly, sponsor not particularly popular or known in the
silicon valley. It's a pity because I think the concept is really smart and
practical. I would not run it on a windows machine though.

~~~
mtgx
I assume it could be implemented on a secure USB stick for key storage, too.

~~~
botto
I think Steve mentioned Yubikey was looking at implementing SQRL once it was
complete

------
Tepix
FIDO U2F has a great anti phishing mechanism by incorporating the hostname.

However:

It's too difficult to setup FIDO U2F for your own webserver. There is still no
Apache module or nginx plugin that allows you to protect a directory of your
document root.

Also U2F is not available for PHPBB. There is a plugin that appears to be
unfinished and buggy since 2015.

~~~
afrodc_
Using an OpenID connect provider with one of Hans Zandbelt's plugins for
Apache (mod_auth_openidc) or Nginx (lua-resty-openidc) would give you
centralized authentication which could use U2F or any other supported 2FA
mechanism.

~~~
chusk3
I can echo this comment. Protecting websites with lua-resty-openidc was very
easy and required no changes to the actual application code.

------
superzamp
> The value proposition of a U2F device like the YubiKey is that not only must
> you have it present, it's not subject to the TOTP being disclosed like with
> tokens that require the user to enter a password into a third-party service
> which could still be a phishing page

Could someone shed some light on this? What is it that prevents a phising page
from basically proxying the crypto challenge from the website to your key and
present your answer back?

~~~
furicane
U2F is a two step process - you need to register the device first (through
challenge-response process called ENROLLMENT), then you can use it by issuing
authentication challenge (U2F authentication is NOT the same as user
authentication, they labeled the process as ENROLLMENT - AUTH process).

During registration you receive several pieces of info, such as keyHandle,
public key you use to verify future device responses and an attestation
certificate so you can verify the device vendor.

The interesting part is this: when you challenge the u2f device to sign
AUTHENTICATION request, what it does is keep a counter tied to your appId (the
domain where the .js that deals with this is executed) and it produces encoded
json which is signed by the device, using an EC private key.

The counter increases every time the device is challenged by that particular
appId. The response is signed using the counter and a private key that's on
the device (which you can't tamper with).

So, the phishing / mitm should have the value of private key and the moving
part (counter) that's tied to a specific appId. That's difficult since it
SHOULD do this during enrollment process and every subsequent authentication
request.

What's important that not only does it protect against phishing but from
replays too. Naturally, the u2f device isn't standalone responsible for this,
the verifying server implementation is a crucial part of the process.

Disclaimer: I'm not affiliated by Yubico, but have implemented U2F (the
dreaded js part and backend part) in 2015, several months after Chrome 38 has
been released, the first version supporting u2f protocol.

~~~
gst
Last time I checked (more than a year ago) most of the websites didn't care
about the counter value.

(If you use a Ledger device for U2F and subsequently restore a new (or a
reset) device from your private seed the counter will be reset. Trezor has the
same issue but allows you to manually set the counter to work around it.)

~~~
furicane
I haven't got any info on websites caring about the counter value. It seems..
pointless to use U2F if you just disregard the counter value. You need to
extract it from the response in order to construct the binary data to verify
the signature. If one disregards the counter value, they can just outright
drop the whole U2F.

~~~
Xylakant
> If one disregards the counter value, they can just outright drop the whole
> U2F.

It's not pointless. Disregarding the counter only enables replay attacks, that
is: the attacker must previously have captured a challenge/response. The
phishing resistance is still retained because it relies on the browser passing
the origin to the u2f device and the browser can't be fooled by similar URLs
while a human entering a TOTO token can.

~~~
furicane
U2F isn't as trivial to implement as RFC4226 OTP. It takes effort.
Implementing the counter check is trivial. Disregarding the counter and
stating "that only enables replays" is absolutely unacceptable. If one is so
irresponsible to the point they're enabling a replay attack - then there's no
excuse and no valid argument to support the use of U2F at all. If you (not
YOU, personally) can't implement the protocol fully, don't half-ass it and
plant mines. That's my take on it, and anyone who implements this protocol to
secure people's accounts MUST (not SHOULD) think the same. There is NO excuse
for deliberate irresponsibility.

------
xaduha
I wish that SmartCards were used more for this purpose
[https://github.com/OpenSC/OpenSC/wiki](https://github.com/OpenSC/OpenSC/wiki)

There's an applet you can load into your own JavaCard presumably
[https://github.com/LedgerHQ/ledger-u2f-javacard](https://github.com/LedgerHQ/ledger-u2f-javacard)

~~~
rocqua
The JubiKeys support a smart-card functionality.

There is a similar thing in SIM-cards, but that is under-utilized as well.

~~~
notamerican
> There is a similar thing in SIM-cards

Got any good resources on this subject? I'd be interested to know more :)

~~~
xaduha
I'm not entirely sure what he means by that, but SIM-cards are smartcards.

[https://en.wikipedia.org/wiki/Subscriber_identity_module#/me...](https://en.wikipedia.org/wiki/Subscriber_identity_module#/media/File:GSM_SIM_card_evolution.svg)

And you can buy smartcards in this formfactor e.g.
[https://www.cardomatic.de/epages/64510967.sf/en_GB/?ObjectPa...](https://www.cardomatic.de/epages/64510967.sf/en_GB/?ObjectPath=/Shops/64510967/Categories/SmartCardHSM)

------
gomox
For some reason Google Smart Lock doesn't allow you to use a U2F Yubikey as a
backup to the phone-based prompt. Seems totally absurd as a Yubikey is the
perfect backup to a lost phone.

Also did I mention that if you use 2FA, Google's "find my phone" functionality
asks you to use your phone to authorize the login before you can find it?

Yes. You heard that right. Use your phone to find your phone. Don't ask me how
I know.

~~~
CDSlice
Well, presumably you are using 2FA because you don't want anyone that stole
your password to be able to access your account, so do you really want anybody
with access to your password to track your location?

~~~
e40
Isn't the that, in the lost phone case, you can never answer that query?

~~~
tialaramex
Google prompts you (maybe even requires) to enable at least two distinct ways
to get in. Now, of course it's possible you've tied both of those to your
phone, but I put it to you that this makes it your fault.

If my other method works, even if it's a huge pain (e.g. maybe my other FIDO
key is at home and I've flown to Tokyo) then I do still have options. Maybe
not options I _love_ but that's security for you. If you have a massive house
fire that both destroys your bank documents and leaves you so badly burned you
can hardly talk let alone sign your name, good luck the first time you try to
withdraw cash from that bank account.

If you set Advanced Protection both distinct ways have to be FIDO Security
Keys, and whilst it's conceivable you could own a phone that functions as
_one_ FIDO key (I would expect Apple to do this for example) it doesn't make
any sense to have a single phone serving as _both_ your keys, even a non-
technical person can hopefully spot that.

------
stock_toaster
Really hope apple adds u2f (native/safari) support at some point in the
nearish future.

------
arkh
I'd like to see another article showing the steps to go through if you lose
your keys.

~~~
fyfy18
This is my biggest concern about 2FA. On Google I have TOTP 2FA enabled, with
my phone number as a backup. But everything goes through my phone - I'm not
really worried about some stealing my phone to gain access, but what happens
if I break or lose my phone.

A few years ago I was travelling abroad and had my suitcase stolen - which had
my laptop (with FDE) and passport inside. Fortunately I had my phone and
wallet on me, otherwise I really don't know what I would have done - I
probably wouldn't even have remembered the name of the hotel I was staying at
that night.

~~~
andyjohnson0
Google allows you to print a set of codes [1] that can be used to access your
account if your device is lost. I printed a set and have them stored in a
secure place at home. Some people keep them in their wallet/bag/similar.

[1]
[https://support.google.com/accounts/answer/1187538](https://support.google.com/accounts/answer/1187538)

~~~
michaelt
According to [1]

    
    
      Advanced Protection uses a stricter implementation than
      Google has offered in the past: Only those physical 
      keys—along with a password—will unlock your account. If
      you lose them, you can't use a printed out backup code
    

So, no printed backup codes for Advanced Protection users!

~~~
andyjohnson0
(Presumably your [1] reference is this: [https://www.wired.com/story/google-
advanced-protection-locks...](https://www.wired.com/story/google-advanced-
protection-locks-down-accounts/) )

Good point, although I think the parent comment was about Google's existing
2FA rather than the new advanced protection setting.

------
technion
It continues to be an annoyance that we have this great technology in the form
of U2F, but Office365/Azure (where troyhunt.com's MX records currently point
by the way) doesn't support it. In fact their UX still strongly pushes you
towards SMS if you don't know where to look.

------
megous
$20 for one in a bundle? Why is it so expensive? I get a 4-core 1.3GHz 1GB RAM
SBC I can run desktop and all the crypto in the world on, incl. shipping from
China for less than the price of a single U2F knob.

I'd pay $2-3 max per piece. Especially since you need more than a few in order
not to cause yourself more trouble than this is worth (to someone who already
uses random unique passwords and emails for services).

~~~
yayana
The goal is really nonclonable key storage with a minimal CPU and purpose
specific firmware, i.e. a sim card. The USB u2fs are about $10 which is pretty
reasonable for a newish card with ECC algorithms.

~~~
megous
Why is it a goal though? I don't care.

U2F to me is useful for protecting from stolen credentials on the web. These
attackers will never have physical access to my u2f device to clone it.

If you fear people getting physical access to your u2f, they can simply use it
if they also know the password. No need for cloning. And if they don't know
the password, it's still useless. From that attacker's perspective, your
security was reduced to password only. Which is still good, if you take care
of your passwords.

------
borplk
Does anyone know if Google allows registering more than 2 keys?

Like what if i want to register 3 or 4 keys for advanced protection?

~~~
theli0nheart
Yep, they do. I’ve registered 6 without a problem.

~~~
blfr
Six seems like a lot. Why do you need so many?

~~~
theli0nheart
It’s cheap insurance against getting locked out of my Google account forever.

~~~
blfr
Sure but you're diluting the second factor. The more tokens you have, the
easier it is to get one and without you noticing.

~~~
theli0nheart
There's always a tradeoff between convenience and security, but I'm relatively
unworried about someone, say, breaking into my bank compared to someone
spoofing my phone number.

------
zeveb
> Now, hopefully the problem here is already self-evident but let's just be
> crystal clear anyway: adding a second step to authentication should not be
> seen as an excuse to weaken the first step. I'm hesitant to call this guy's
> approach 2FA (if it's true MFA at all), it's more like 1.5FA or something
> thereabouts. The point is, use the approaches above as additional security
> controls, not as an excuse to weaken existing ones!

Well, right now I use passwords of the form j6lqPKQKQ1RHv87PES4iy5; it'd be
nice if using U2F meant that I could securely switch to something like
'correct horse battery staple' instead …

------
xkgt
Amidst all the potential ways in which even 2FA can be compromised, I am
surprised no one is mentioning the biggest benefit of using 2FA- the ephemeral
nature of 2nd password. Not only it protects against misuse of stolen
credentials, but it also allows to centrally disable the 2nd password should
any leak occur. Is this one of the stated goals of 2FA design?

In my view, this makes 2FA an essential security feature, not just a nice
improvement over 1FA.

------
stcredzero
Here's what I'd like to see in a 2FA "something you have" device: You could
just leave it in your pocket, and you wouldn't have to interact with it. It
would also unlock your computer when you sit down at your desk and lock it
when you leave.

~~~
satysin
You mean like an Apple Watch does with a macOS machine?

~~~
stcredzero
An app that would turn an Apple Watch into a U2F 2FA device would be great. It
would also need to work as such a device for logins to Google and AWS.

~~~
satysin
Well you can use the Authy Apple Watch app for TOTP but I am not aware of
anything that works like Microsoft or Google's prompt system.

------
whitepoplar
Does anyone know if Smart Lock for iOS works with the new Yubikey 5 NFC, or is
it still necessary to use the Feitian Bluetooth device?

~~~
BillinghamJ
Smart Lock on iOS does not support NFC currently. BLE only.

------
thefounder
This is complicated(even for developers) and requires additional devices.
People hate extra devices. Verdict: fail!

------
czbond
Has anyone seen external reported audits of code & hardware for keys like
Yubikey, Google Titan?

------
limpkin
I wonder if he'll do an article on webauthn... that seems fairly promising as
well!

~~~
WorldMaker
WebAuthn is the spec that enables U2F tokens in browsers. When he adds the
keys to his account in Chrome, and when he logs into Gmail on Chrome, that's
all utilizing WebAuthn in the background as a technical detail.

------
timvdalen
Am I correct in seeing that U2F can't be enabled for G-Suite accounts yet? I
can't find the setting in the Admin panel.

~~~
BillinghamJ
U2F can, but the Advanced Protection program can't currently.

~~~
tialaramex
Advanced Protection changes your relationship with the administrators
(Google). But for GSuite the administrators are some other member of your
organisation, so Google can't make a web page that changes that relationship.

If your company decides that the New York employee named "Steve Smith" and the
London employee "Stephen Smith" are the same person, and either should be able
to request account password reset for steve.smith@company.example, both of
these chaps are going to have a bad time. Google can _tell_ them this is a
terrible idea, but GSuite is a company product, so ultimately it's their
terrible idea if that's what they want to do.

The _technical_ features of Advanced Protection seem to be mostly: Use FIDO
Security Keys (U2F/ WebAuthn), disable stuff we know is useful but insecure.
You can opt into those technical changes for your GSuite, either for everybody
or a selected group e.g. "Company Security Nerds" or "Executive Level
Employees" or "Everybody except Pamela. Damn it Pamela". But the non-technical
feature is hard and probably just not replicable at all.

~~~
BillinghamJ
Yes essentially the issue is that it's possible to permanently and
irrecoverably lose access to your account with the Advanced Protection program
enabled. But that clearly wouldn't work when your account admin can just reset
things.

So you can have an equivalent set of options configured, but it isn't exactly
the same.

------
mkagenius
> Password and SMS

I see no mention of SS7 attacks, is that a solved problem?

~~~
ptman
"SIM porting"

~~~
mkagenius
How will SIM porting help in such attacks?

~~~
ggm
It doesn't help: it exemplifies the full scale of the problem which is bigger
than ss7. SIM porting attack is social-engineering. You don't even need to
"fix" ss7 to port out of some carriers, because humans are in the loop to do
it for you because tears on the phone.

