
Google Will Retool User Security in Wake of Political Hack - coloneltcb
https://www.bloomberg.com/news/articles/2017-09-29/google-is-said-to-retool-user-security-in-wake-of-political-hack
======
jforman
Having a high-security option will be useful for more than executives and
politicians. Lawyers, doctors, Equifax employees — anybody who touches highly
sensitive data will benefit.

Email is used as a privilege escalation path to pwn almost every other service
we use. And we're finding that 2FA isn't the ultimate answer — OTPs are easy
to phish, SMS can be socially engineered around without much difficulty, etc.
As the value of digital data keeps going up, the sophistication of hacking
groups and governments has gone up as well.

A highly secure browser connecting to an account with limited API access using
a physical token is an excellent step. I'll buy it myself if it isn't
obscenely expensive.

~~~
KGIII
Some sort of 2FA done on a USB device might help. I'm thinking something open
and free. The user can just extract, probably programmatically, the software
to their own USB device and enter/configure any needed information.

Then, online accounts could query the device and see if there's a key that
matches what was made when they setup the account or added 2FA. Each account
could have its own key, associated with the owner's master key, and it'd have
to match the one on file - something like that.

I imagine it's have to be standardized and easy for site owners to implement.
I guess it could also be done at some central location using something like
OAuth, though individual sites should be able to add it - and fairly easily,
and for just the cost of learning to add it. Maybe make it fairly simply, as
easy as LetsEncrypt - or even easier.

Now, in my head, they'd enter their username (no password yet) and that's when
the check would be performed. The site would request the token from the USB
and the USB would request the token from the site. If the two match whatever
criteria the security gurus come up with, they are prompted to enter their
password. I suppose there could be additional checks and maybe even periodic
poling from either the USB or the site.

Because the phishing site wouldn't have the correct key, it would fail and the
user wouldn't even be asked for their password. Ideally, the user wouldn't
have t do much more than carry their USB drive with them.

I suppose it should be easy for the owner to clone the USB key. It should also
require some sort of master password to even authorize it to hand out keys. I
imagine enterprises can lock them down to a key and a workstation, meaning
that they can can only work in certain computers and certain computers will
only accept one physical key.

I am sure this can be refined and monetized. Selling solutions to businesses
and services would be nice. Recovery should be possible but difficult. I'm
sure it can be layered with additional features. It should probably be
optional, and not mandated by law for the general population and for personal
computing - but available for them.

I'm sure there are ways one can think of to get by it but it does seem like
it'd be a good place to start. It also doesn't seem like it'd be
technologically difficult to accomplish, or even necessarily expensive.

~~~
tonyztan
It seems like U2F fits most of your criteria: open and free, standardized and
easy to implement, foils phishing, etc. It can't be easily cloned though.

[https://en.wikipedia.org/wiki/Universal_2nd_Factor](https://en.wikipedia.org/wiki/Universal_2nd_Factor)

~~~
perpetualcrayon
This is exactly the kind of 2fa that I've envisioned in the past (not being
familiar with U2F), with the exception that I think the ideal solution will be
a U2F device that doesn't require a power source. A special kind of NFC chip.
May already exist (not sure how feasible it is), but I'm not aware if it does.

~~~
emmatoday
The Yubikey Neo and at least one other U2F capable device support U2F over
both USB (for laptops) and NFC (for use in Chrome on Android). The
authenticator is not internally powered.

------
LurkersWillLurk
I hope this purported initiative will be accessible to all users, not just to
those on a whitelist. As it currently stands, I can use a security key as my
second factor, but I can also receive a text message, which defeats the whole
point of the key. I would love to see an option to not use SMS as my second
factor.

~~~
Ajedi32
For your Google account you mean? You can already do that; just remove the
"Voice or text message" factor from your list of 2-factor options under
account settings: [https://myaccount.google.com/signinoptions/two-step-
verifica...](https://myaccount.google.com/signinoptions/two-step-verification)

My account, for example, is setup to allow U2F keys, Google Authenticator, and
static recovery codes, but not SMS.

~~~
jlgaddis
Don't you have to set it (SMS) up first, add other 2FA methods (e.g. U2F), and
then remove SMS?

I'd prefer to never set it up in the first place.

~~~
tonyztan
You're right. You have to set up SMS to set up other types of 2FA, but you can
remove your phone number afterwards. I think Google just doesn't want less
experienced users getting locked out.

~~~
zie
This is broken, because you absolutely know Google will keep your phone #
around and linked to your account, even after deleting it from the UI. No U2F
for me, cause Google has to know my phone #.. except I don't have a phone,
cause I'm deaf.

~~~
VoidWhisperer
Being deaf doesn't preclude you from having a phone, especially a smart phone,
which has plenty of applications that do not require sound and many of which
actually have accessibility features for the deaf.

~~~
zie
True. I use an iPad mini instead, easier for me to communicate with other
people, since it has a much larger screen to type on.

------
retox
>The Gmail messages of John Podesta, Hillary Clinton’s 2016 campaign chairman,
were famously hacked last year

No, he was phished.

~~~
gonyea
2fa would have protected him.

~~~
AgentME
Is 2fa that big of a deal to a dedicated attacker who gets the victim to enter
their info into a phishing page? (Just thinking of passcode-style 2fa, not usb
key 2fa.) The attacker just has to forward the victim's login info to a login
page, and then if the attacker gets a 2fa prompt, they prompt the victim with
a 2fa prompt and then forward the victim's answer immediately.

I understand a lot of attackers don't bother since there's plenty of easier
victims without 2fa, but if they're targeting a specific individual, it's not
that much more work to make their attack work on 2fa too.

~~~
aiiane
That's why U2F is a better alternative - it avoids the phishing issue as well
as the password reuse issue.

------
tonyztan
> The new service will continue to require a physical USB key in addition to a
> second physical key for greater protection.

I look forward to more details so that I can understand the reason for having
two physical keys. What threats can defeat one U2F key but not two?

~~~
agl
Losing one.

~~~
dward
Number two is to throw in your safe and forget about.

~~~
tonyztan
This is definitely a valid consideration. Perhaps they are replacing "2fa
recovery codes" with a backup U2F key.

------
ehPReth
I hope they add U2F support to their desktop (Windows/macOS) applications
(Drive File Stream, Backup & Sync, etc).

Having U2F only should be amazing but it sure sucks when you have to add less
secure methods to sign in on the desktop :/.

Additionally, for G Suite organizations, locking anyone but enterprise users
out from requiring U2F for their users (or an OU) is a bit of a kick in the
pants when that’s the only feature you desire (a security one at that!) and
going from Business to Enterprise is most likely a hefty price hike.

------
tareqak
Techmeme summary: _Sources: Google to launch Advanced Protection Program
marketed at high-profile users that replaces 2-factor auth with physical keys,
blocks all third party apps_

------
mozumder
Politics here. Gotta ban this discussion.

------
oh_sigh
Will tech-clueless, powerful people actually use this product? Or will they
continue to have their password be 'p@ssw0rd'?

~~~
koolba
If you make a product that just requires them to plug it in to access their
email then yes they'll use it. It's about usability and people would
understand the key unlocking their email.

~~~
ams6110
They will demand a way to access their email even if they forget the plug-in
key thingy.

------
eksemplar
That's nice and all, but you really shouldn't use google for anything you want
to be secure. Especially if you're not American.

