
Google: Security Keys Neutralized Employee Phishing - sohkamyung
https://krebsonsecurity.com/2018/07/google-security-keys-neutered-employee-phishing/
======
klodolph
For those interested, I recommend reading how FIDO U2F works. There's more in
a security key than just FIDO U2F, but FIDO U2F is easily the most ergonomic
system that these security keys support. Simplified:

* The hardware basically consists of a secure microprocessor, a counter which it can increment, and a secret key.

* For each website, e.g., GitHub, it creates a HMAC-SHA256 of the domain (www.github.com) and the secret key, and uses this to generate a public/private keypair. This is used to authenticate.

* To authenticate, the server sends a challenge, and the security key sends a response which validates that it has the private key. It also sends the nonce, which it increments.

If you get phished, the browser would send a different domain
(www.github.com.suspiciousdomain.xx) to the security key and authentication
would fail. If you somehow managed to clone the security key, services would
notice that your nonces are no longer monotonically increasing and you could
at least detect that it's been cloned.

I'm excited about the use of FIDO U2F becoming more widespread, for now all I
use it for is GitHub and GMail. The basic threat model is that someone gets
network access to your machine (but they can't get credentials from the
security key, because you have to touch it to make it work) or someone sends
you to a phishing website but you access it from a machine that you trust.

~~~
brightball
It's also tremendously more efficient to tap your finger on the plugged in USB
than it is to wait for a code to be sent to your phone or go find it on an app
to type in. I've added it to everything that allows it, more for convenience
than security at this point.

Most places that allow it require that you have a fallback method available.

~~~
baby
One thing I don't understand is why are apps like authy or google
authenticator not using push notifications to allow you to directly auth via
unlocking or touchID instead of having to go through the app. If you really
want the user to type something then you can still use push notitication for
easy app access

~~~
spacehunt
TOTP is designed to be usable even while offline.

~~~
Klathmon
But is that trade off worth it? Is the ability to work offline worth giving up
a simple prevention of phishing attacks?

~~~
klodolph
Full circle here, since FIDO U2F has phishing-resistance like push
notifications and lets you work offline like TOTP. "Offline" in the sense that
everything besides whatever you're authenticating against can be offline.

~~~
closeparen
Push notifications offer no phishing resistance. The attacker can present a
fake login experience and conduct a real login behind the scenes at the same
time. If you think you’re logging in, you’ll approve the push for them.

------
jwr
U2F is fantastic. I wish Apple supported it in Safari (hoping!).

Also, YubiKey 4 is a great device. Set it up with GnuPG and you have "pretty
good privacy" — with convenience. I recommend this guide for setting things
up: [https://github.com/drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-
Guide)

The great thing about YubiKeys is that apart from U2F, you also use them for
OpenPGP, and the same OpenPGP subkey can be used for SSH. It's an all-in-one
solution.

~~~
palisade
Yea, except YubiKey got compromised.

[https://www.yubico.com/support/security-
advisories/ysa-2017-...](https://www.yubico.com/support/security-
advisories/ysa-2017-01/)

And, if you lose your fob or your backup fob you're boned.

~~~
iwalsh
That vuln only affected RSA keys generated for specific niche functionality
and not most uses of the YubiKey.

> The issue weakens the strength of on-chip RSA key generation and affects
> some use cases for the Personal Identity Verification (PIV) smart card and
> OpenPGP functionality of the YubiKey 4 platform. Other functions of the
> YubiKey 4, including PIV Smart Cards with ECC keys, FIDO U2F, Yubico OTP,
> and OATH functions, are not affected. YubiKey NEO and FIDO U2F Security Key
> are not impacted.

~~~
palisade
Hm, I suppose, though that is the functionality the poster I was replying to
was discussing. Though, one has to wonder, what other flaws are lurking below
the surface on that chip. It isn't flawless. Once there is another major issue
it is going to be an abandon ship type of situation. What are the alternatives
if any, move to a new key that doesn't have the problem or look into an
alternative means, etc.

~~~
munchbunny
I think this is a revocation and provisioning problem: when the device is
compromised, how hard is it to revoke that device and provision a new one for
yourself?

Structurally, actually making these tokens should be commoditized anyway. So
on the software side, it needs to be not absolutely painful to rotate
credentials. Something like a one-time-pad that you can use in "in case of
fire break glass" situations.

~~~
tialaramex
If you've ever used GitHub's SSH keys provisioning, any halfway decent U2F or
WebAuthn implementation (including GitHub's) works a lot like that.

You can register as many keys as you like within reason, you can give them
names like "Yubico" or "Keyfob" or "USB Dildo" and any of them works to sign
in.

Once signed in you can remove any you've lost or stopped using, and add any
new ones.

The keys themselves have no idea where you used them (at least, affordably
priced ones, you could definitely build a fancy device that obeys FIDO but
actually knows what's going on rather than being as dumb as a rock) and
there's no reason for your software like a browser to record it. Crypto magic
means that even though neither browser nor key remembers where if anywhere
you've registered, when you visit a site and say "I'm munchbunny, my password
is XYZZY" it can say "You're supposed to have one of these Security Keys:
Prove you still do" and it'll all just work.

~~~
munchbunny
Thanks for the explanation. It all makes sense, and the public/private key
system is awesome for that.

The point I was getting at was "if your one Yubikey is stolen, what do you
do?" If you fall back on password authentication, then your Yubikey based
system was only as secure as the password mechanism protecting your account
recovery mechanism.

The answer might be "provision two keys and stick one in a bank deposit box",
etc. Regardless, there's an inherent problem that you want your recovery
mechanism to be as hard to crack as your primary authentication mechanism, but
you need it to not be an absolute pain.

~~~
jwr
Most sites require you to set up another form of 2FA along with U2F (for
example, TOTP using Google Authenticator). There are also recovery codes that
you print and store on paper.

I don't consider losing a Yubikey to be a serious problem, though it's
important not to use it to generate RSA keys, as then you will not be able to
make any backups. Generate your keys in GnuPG and load them onto the key,
keeping backups in secure offline locations.

------
phillipseamore
I'd like to mention that I've been testing the Krypton app (iOS only for now)
for U2F. You install Krypton on your iOS device, it creates keys that are only
on the device. You then install the extension for Chrome. When U2F is
requested they send the challenge to the iOS device which calculates the
response and sends it back to the extension. App can be configured to require
approval or always send response.

App also support SSH keys.

Works very well for me and the service is free.
[https://krypt.co/](https://krypt.co/)

~~~
4kevinking
Good to hear you're liking U2F on Krypton. Android support was released last
week, and Firefox/Safari support is coming soon!

~~~
xena
I wish you just had the workstation download on the homepage again. I had to
find your homebrew bottle GitHub repo to figure out how to install Krypton on
my new MacBook.

~~~
paulopontesm
Agree. The new page seems phishy. I double checked the domain and certificate
before trusting the page at all. Other than that.. great product

------
sGatling1788
Am I only the one who is disappointed in the seemingly stalling of traction
for U2F? Google, Github, and Facebook supported U2F 2 years ago - so all I can
see is Twitter, Dropbox and niche security news like KrebsOnSecurity.com have
added support since then? Sure it's something, but 2 years I would have
expected more - Who am I missing? Without more websites, consumer mass market
has little incentive to adopt - and without users, websites have little
incentive to support U2F - thereby furthering the stalling.

~~~
packet_nerd
I needed a new bank and thought surely there will be one that offers U2F..
days of searching later, and I still have yet to find one that does. It seems
like the vast majority of online banks don't even support any kind of 2FA
except email/text. Really really sad.

For regular guys like me, I can't think of any online service more important
to protect than my bank account.

~~~
Arainach
Vanguard supports U2F. [https://investor.vanguard.com/security/security-
keys](https://investor.vanguard.com/security/security-keys)

~~~
everybodyknows
Yet only Chrome is supported -- and this does not include chromium-browser on
Linux.

------
decasia
I guess this is a dumb question, but is it still "multi factor authentication"
if you only use a single physical device to complete the login process?

The way the article is written, it makes it sound like the physical key is a
replacement for 2FA instead of just a hardware device that handles the second
factor (while leaving the password component in place).

~~~
chimeracoder
> I guess this is a dumb question, but is it still "multi factor
> authentication" if you only use a single physical device to complete the
> login process?

This is a common misconception. The threat model of 2FA is not "I lost my
device, and it is now in the hands of someone who knows the password".

The threat model of 2FA is one of:

1) "An attacker has gained remote access to my computer, but not physical
access"

2) "I have been targeted by a sophisticated phishing attack, and I trust the
machine that I am currently using"

TOTP (and even SMS) protects against (1) in most cases, though U2F is still
preferable. U2F is the only method that protects against (2).

~~~
wool_gather
> U2F is the only method that protects against (2)

Would you be able to elaborate on this? I'm not understanding the difference
between TOTP and the physical key from the article for this scenario.

~~~
toast0
With TOTP, a sufficiently clever phish may convince you to enter the one time
code.

With U2F, there is communication between the browser and the device,
requesting authentication for a specific origin hostname -- that can't
(shouldn't) be fooled by a phish hosted at Google.com-super-secure-
phishing.net

~~~
tzs
Where do password managers fit in here? If a phisher convinces me to try to
login to google.com-super-secure-phishing.net using my google account I'm
going to notice something is wrong when my password manager refuses to fill in
the login form.

~~~
SpaethCo
This is where it comes down to user behavior. One of the security engineers
from Stripe gave a talk about this at Blackhat last year -- she had phishing
campaigns that had users ignore that autofill didn't work and manually
copied/pasted their password manager credentials into the phishing sites.

[https://www.youtube.com/watch?v=Z20XNp-
luNA](https://www.youtube.com/watch?v=Z20XNp-luNA)

------
technion
Microsoft's position is interesting. The article states Edge will be
implementing support this year. They run Github, which supports U2F.

But Microsoft are in the process of launching a new MFA and password
management product in Office 365/Azure, and I'm informed U2F isn't on the
roadmap.

~~~
codinghorror
Welcome to The Strategy Tax

------
idlewords
Google's instructions for setting up these keys are unfortunately very bad, so
I wrote this guide:
[https://techsolidarity.org/resources/security_key_gmail.htm](https://techsolidarity.org/resources/security_key_gmail.htm)

------
djsumdog
I wonder what happens when you forget your key at home. If I forget my keyfob
for work, I usually have to do the walk of shame, around the hallway from the
reception desk, whenever I use the bathroom. But I can still get in. And if I
really wanted to, I could get a temp key for the day.

Do compiles like Google, et. al. have security departments that give people
temporary keys that expire after a day, or do they have to run back home?

~~~
joemag
Yeah, you usually have one time use keys that can work in cases like that. Or
you can get a new key from IT and go through a registration support.

------
supernova87a
For my personal email (gmail) I only recently went to Google Authenticator
because I finally figured out how to put it on multiple devices. I was worried
about the SMS code method's security, but I had no other way to ensure that
losing my phone wouldn't leave me with no way to get into my accounts. (If I
lose my phone I can still resurrect my phone # on another device by SIM
replacement).

The U2F works fine for corporate, etc. where you have a support team who can
help you in case you lose it or forget anything. They can make you come in
person and prove that you are you.

The problem with implementing this for personal is that if you ever lose the
key or code generator, you are absolutely fucked because there is no way to
prove who you are to Google and have them reset your password / security.

~~~
modeless
You don't need multiple authenticators. The right thing to do is print
multiple copies of your one-time emergency backup codes
([https://support.google.com/accounts/answer/1187538](https://support.google.com/accounts/answer/1187538))
and put them in many places. Wallet, car, house, parents' house, etc. You only
have to do this once. The codes are useless without your password and you can
revoke them at any time if you really need to, so spread them widely and then
you won't ever have to worry about losing your authenticator.

------
exabrial
Notice something important: they didn't use SMS.

Also, look at how GitHub uses U2F. Anytime you need to make an account change,
you can simply tap your u2f key. It's a great user experience and really locks
down your account.

------
adrian_mrd
How does one use a U2F / YubiKey on a mobile device like an iPhone (lightning
port), or are they only compatible with laptops and Android phones (USB-2,
USB-C, USB-3) connections?

~~~
Steltek
On Android, you have plenty of options and they all work. Specifically, my Neo
key works with NFC and my YK4 works with USB OTG (both original flavor and
USB-C).

Apple limits the capabilities of Yubikeys so much that it's best to summarize
it as "Doesn't work". It's more of Apple's anti-competitive restrictions that
seem to go unnoticed by most people because they have a shiny UI.

~~~
adrian_mrd
Thanks for that info.

So, then, if Apple wanted to adopt a similar solution to Google - i.e. for
their own enterprise security, as opposed to for their customers - could they
use one of the Yubikey NFC options, or, would they have to ‘create’ a
Bluetooth-specific device?

Maybe the long-rumoured Steve Jobs ring could take the form factor?!

And from an Apple customer perspective, is there a valid argument to be made
that iOS devices can be, or are currently, less secure than Android
counterparts because of the current lack of Yubikey / U2F options?

~~~
PascLeRasc
The Yubikey NEO recently supports iPhone 7 and up:
[https://www.yubico.com/2018/05/yubikey-comes-to-iphone-
with-...](https://www.yubico.com/2018/05/yubikey-comes-to-iphone-with-mobile-
sdk-for-ios-and-lastpass-support/)

~~~
adrian_mrd
With some limitations, at least in iOS 11:

“Besides the fact that the NFC Reader interface can only be fired up from an
app, Core NFC [in iOS 11] does not allow for write operations that are
required for authentication protocols like FIDO U2F. ...

However, because NFC tag reading is supported, it allows developers to build
apps, including consumer facing or purpose-built enterprise applications, with
one-time passcode (OTP) support.”

Which is what ‘smiley1437’ and others have effectively stated in other parts
of this thread.

edit: added last sentence

------
otterpro
Is there any inexpensive USB-based security keys? I'd love to get one for my
Mac and PC but Yubico Nano is $50; I would like two of these, but they are
$100 already.

EDIT: I also see Yubico Fido Keys which are $20 each (and $36 for 2). Are
there any differences between these and the regular Yubico keys?

~~~
tptacek
If you have to ask, get the super cheap ones; you probably aren't going to use
any of the features on the expensive ones (like the nanos and the Y4s).

You will read lots of people talking about the cool things they do with their
Y4s, but really they're just doing it because they can, not because there's a
well-thought-out security benefit they're getting (I'm as guilty of this as
anyone). 95% of the benefit of a security key is simply U2F.

~~~
tytso
I use Yubikeys to store my GPG and SSH private keys. This way even if my
laptop gets 0wned, the attackers won't be able to get my private keys. It
basically is a more convenient form factor then using a Smartcard (which was
how I had previously stored by GPG / SSH keys).

~~~
GordonS
Is there any simple way to keep SSH keys synced across multiple keys?

I have 2 laptops and an Android device, so if I was to start using these
things it would be convenient to keep my private keys available across them
all.

------
pasta
When I buy a key, how will I know I can trust that key?

Is there any way to validate it?

Edit: It seems Yubico is a trusted brand so I guess you are safe when you buy
keys from them.

Here is a list of FIDO certified products:
[https://fidoalliance.org/certification/fido-certified-
produc...](https://fidoalliance.org/certification/fido-certified-products/)

~~~
tialaramex
(Cheap) Security Keys are very dumb objects. They don't know anything secret
except their own secret key. So I think the two naughty things bad guys might
do are:

1\. Sell you a key whose secret key they already know. This is hard to defend
against. But if you just buy a generic key from a reputable manufacturer and
aren't a major target this seems pretty safe in practice.

2\. Hide something malevolent inside the security key's case, e.g. it's
secretly a GPS tracker or it's a tiny USB disk plus keyboard that hacks your
PC after detecting inactivity.

~~~
gbacon
Is there any way to generate a new key on the device? What steps can a
paranoid user take to mitigate problem (1) above?

~~~
tialaramex
In principle devices could be designed with the ability to generate a new key.
But if you don't trust the hardware how does that help?

You may be able to make more of the hardware yourself, depending on how
capable you are with electronics.

(Much) more expensive devices can implement FIDO while actually using
arbitrary new keys for each registration and you could arrange to hand-pick
the keys and then verify it behaves as intended and uses your chosen keys.

~~~
crunchatized
In the more expensive devices, are the arbitrary new private keys imported
from the computer it's plugged into? If the new keys are generated on the
hardware you don't trust, it'd still be the same problem, since the private
keys could be generated deterministically from a known seed and a counter.

You can at least verify when a cheaply-designed device has changed its secret
key, because the public key it offers for github.com is different from before,
but yeah, that 'new' secret key could still just be derived from a
manufacturer-known seed/secret serial number, too, same as the first one was,
but with an incremented counter.

------
guessmyname
Too bad the MacBook Pro _(without TouchID)_ only has two USB-C ports.

I use one for charging and the other one for the external display.

Guess I'll have to buy the one with TouchID for extra security.

~~~
red_phone
A USB-C hub would be cheaper.

~~~
t3f
Only if your looking for a USB-C to USB-A hub. There is a surprising lack of
good USB-C multi-port hubs, let alone any that support USB PD on anything but
the upstream port. You're just now starting to see any that even have generic
pass-through of PD.

~~~
dwaite
It is surprising; I understand the difficulty in making a USB-C multi-port
hub, but it seems like a huge missed market opportunity. The MacBook is far
from the only device with only a single USB-C port and a headphone jack.

------
twunde
Does anyone know how to enable U2F support for LastPass as the article claims?
I was under the impression that LastPass only supported OTP codes with
YubiKeys and not U2F.

~~~
superdaniel
I agree. I think it’s a mistake in the article. The author most likely saw
that LastPass supports Yubikeys and thought that was the same as U2F?

------
sytse
Do the security keys prevent phishing because they will only login to the same
site by checking the domain? So you can't mitm someone.

~~~
javagram
U2F incorporates the origin, which prevents phishing (unlike TOTP 2FA)

~~~
sytse
Thanks!

------
DanBlake
Does a password management / U2F solution exist that would let you view all
password titles with a master password but only dispense the actual passwords,
one at a time, via a button press? Would prevent having your entire password
DB stolen if you were keylogged/mitmd/whatever.

Picture of what I kind of mean here :
[https://pbs.twimg.com/media/Diylx-0X4AIjrqO.jpg](https://pbs.twimg.com/media/Diylx-0X4AIjrqO.jpg)

*edit- slide #2 and #3 are backwards. The passwords are stored on the USB device, if that wasnt clear. Master password allows you to view password titles and essentially 'unlock' the usb device. However, every action needs to be confirmed one by one. So for instance, you could in theory export 'all' passwords in one shot, but it would present you with that prompt on the device itself.

~~~
DanBlake
Looks like the trezor has native support for ALMOST this exact functionality:
[https://www.youtube.com/watch?v=5Jva-
vcFQjE](https://www.youtube.com/watch?v=5Jva-vcFQjE) (it for whatever reason,
stores the passwords on dropbox, instead of in the device...)

~~~
palisade
Dropbox isn't secure. They have a master key override and have many times
already unlocked boxes without the user's permission. Also, they cache your
credentials, anyone who gets a hold of the cache file can put it on another
machine and get into the box without authenticating.

------
AdmiralAsshat
I got a Yubikey for free through Ars Technica, but I haven't set it up yet.
Regrettably it was a base model instead of the NFC model, which means I'll
have to grab several adapters to be able to use it with my various Android
devices, all of which tie to the Gmail account.

~~~
chimeracoder
> I got a Yubikey for free through Ars Technica, but I haven't set it up yet.
> Regrettably it was a base model instead of the NFC model, which means I'll
> have to grab several adapters to be able to use it with my various Android
> devices, all of which tie to the Gmail account.

For what it's worth, you can have multiple U2F devices. Twitter is the only
website I'm aware of that only lets you register one U2F key.

------
indentit
I guess one limitation of this approach is that one can't login to anything
from a VM that is running on a server that one has no physical access to -
i.e. no way to plug the USB key in.

~~~
vl
There are one-time codes and and there is support of remote keys over SSH (in
most simple from this key just pretends to be USB keyboard and does typing of
the code for you).

------
HillaryBriss
> _...thieves can intercept that one-time code by tricking your mobile
> provider into either swapping your mobile device’s SIM card or “porting”
> your mobile number to a different device._

I know I'm paranoid, but this makes me wonder how safe it is at cell phone
kiosks and stores when you grant them access to your account so they can see
if you're eligible for a promotion or upgrade.

Last time I was at one of these kiosks (in a busy store) I had to ask the guy
to log out of my account before I walked away.

~~~
ObscureId
That isn't really just being paranoid. Logging into your account on any public
device is not secure at all.

Those kiosks are just computers, even if that employee logged out, who is to
say that he didn't also install a keylogger before you typed in your
credentials?

That is a really bad idea.

~~~
HillaryBriss
Yeah. I agree.

Maybe this makes it slightly less bad: to log into my account, the guy typed
in a single-use random code which their special administrative interface
texted to my phone. Assuming that code is truly only good for one use, there's
a little safety in that.

But, I still wonder what exactly these cell-phone representatives do with the
info they can access on my account, and whether they truly log off, or capture
that web page's info somehow, etc.

I once saw a cell phone rep in-training take a picture of such a private
account screen with their personal phone and then text it to another person in
the company so that they could ask that person how to carry out the next step
in the sequence of screens they needed to fill out. It was pretty disturbing.

Customers have to place a lot of faith in the retailer, unfortunately.

------
h000per
While password based phishing might have been stopped by U2F it still leaves
Gmail accounts vulnerable to OAuth phishing attacks which can be just as
devastating.

------
abalone
What are the mobile prospects here? Sound like the main motivation is that
phone numbers are not secure second factors. But the result is a solution that
only works on desktops (is that correct?) and requires a physical key that can
be easily lost.

Modern phones now have secure coprocessors and biometric authentication. Why
not use that method for the second factor? It doesn’t rely on a phone number
and it would handle both mobile and desktop.

------
orbitingpluto
If security keys are so great, why do I still have to process two to five
reCAPTCHAs every single time I log into almost any website?

reCAPTCHAs are ubiquitous and becoming increasingly time consuming. I probably
have to spend 4 minutes every day filling them out. Google is getting 20-25
hours of free labour from me this year.

The class action suit that was questionably dismissed by the judge in 2016
should be revisited.

~~~
vel0city
reCAPTCHAs usually have a trustiness factor built into the code. If some
combination of identity (IP address, browser fingerprint, last login on the
site, etc) is questionable, it will give you more captchas. Do you use a lot
of public VPNs? Are things from your network stuff Google might consider
shady?

~~~
orbitingpluto
Lovely argument you have there. It boils down to this:

"Perhaps you are not subjecting yourself to monitoring by Google so that they
may further monetize your Internet history."

My initial argument stands:

"If security keys are so great, why is Google subjecting me to so many
CAPTCHAs? Perhaps it is because they want free work. A password and security
key challenge should be all the proof that Google needs."

I've had similar discussions before. I've even had someone call me a criminal
for running an ad blocker. I'm not fond of the word shady either.

------
sapphire_tomb
Does anyone know if these things are possible to get working when your daily
interaction is with a thin client?

My workstation sits in a rack in a server room, and where I work's current
policy of 1.7 people to a desk means we all hot desk. Whatever thin client I
sign into uses RDP to connect to my workstation. Is there enough UDP
redirection support in RDP to make using these keys possible?

~~~
tialaramex
I am not sure. I'm assuming your thin clients have USB sockets and you can
plug in generic USB keyboards, mice, etcetera. If you have to use a built-in
keyboard + pointing device then you're almost certainly screwed.

The USB FIDO tokens are HID devices, but they deliberately don't specify what
_sort_ of HID device they are. The idea is that this makes the client
(browser) side easier as every major OS has some means for ordinary programs
to talk to generic HID devices - to support graphics tablets and other odd
things. So it's possible that a system generic enough to let you plug in any
HID device (mouse, keyboard, trackball, stylus, whatever) to your thin client
could work with FIDO.

Security Keys do seem like an attractive idea for a thin client environment if
they work.

RDP does have "input redirection" but the problem is whether it's low level
enough to redirect a HID protocol it doesn't understand. If RDP insists on
thinking about keys pressed or movement of a pointer that's obviously no help
for FIDO, but if it can just proxy the HID layer itself that's enough.

------
Svoka
I don't get it: how it's better than my password manager not autofilling
passwords? Which is basically free, and doesn't require inconvenient usb
dongles. (I'm not claiming that it isn't better, honestly asking how it's
better because I don't understand benefits of this technology over simpler
solutions like password manager)

------
djrogers
Question here - how do I use a technology like this with my iPhone and iPad?

This looks great for my laptop, but that’s only about 20% of my online time...

~~~
ctime
For Google Apps, you could use a Bluetooth LE U2F Security key, like a Feitan
[1] plus the Google Smart Lock app on the App store[2].

1\. [https://www.amazon.com/Feitian-MultiPass-FIDO-Security-
Key/d...](https://www.amazon.com/Feitian-MultiPass-FIDO-Security-
Key/dp/B01LYV6TQM) 2\. Google Smart Lock by Google, Inc.

------
kerng
Adversaries just steal the cookie issued after MFA completes these days.

“We have had no reported or confirmed account takeovers since implementing
security keys at Google,” the spokesperson said.

Makes me wonder if they have the right detections in place. It's extremely
unlikely and naive to think that Google would not have at least one
compromised account at any given time.

~~~
djrogers
> Adversaries just steal the cookie issued after MFA completes these days.

Stealing a cookie is a _much_ different attack vector than phishing, which is
what TFA is discussing. It also requires a completely different level of
access and sophistication, which puts it in a category so different as to make
comparisons irrelevant.

> It's extremely unlikely and naive to think that Google would not have at
> least one compromised account at any given time.

Stealing a session cookie does not equal a compromised account, while phising
does.

~~~
kerng
In the online world a session cookie or Bearer token is pretty much equivalent
to an account compromise, in fact often it is exactly the same. Hard to argue
if one gets email access to claim that their account wasn't compromised.

~~~
puzzle
Not so fast. For years, Google has supported channel binding between GFEs and
Chrome. The cookie alone is not enough: you need to steal the private key as
well. I can't remember if that's the case, but it would make sense for
@google.com accounts to have more aggressive settings.

[http://www.browserauth.net/channel-bound-
cookies](http://www.browserauth.net/channel-bound-cookies)

Even before that, Google has had a system to detect cloned or tampered cookies
on the server side for more than a decade, as described in its patented glory
(don't open if you think your company's lawyercats are going to be unhappy):

[https://patents.google.com/patent/US8302169B1](https://patents.google.com/patent/US8302169B1)

------
kop316
So something to note on using them:

[https://www.yubico.com/support/security-
advisories/ysa-2018-...](https://www.yubico.com/support/security-
advisories/ysa-2018-02/)

If Chrome has WebUSB enabled and can see it, it would be possible to get
around the security U2F affords.

~~~
0xfffff
Surprised not more people mentioned or recalled this, its perfect for
phishing. one click, thats it.

------
rkeene2
The US Federal Government started migrating to using "security keys" almost 15
years ago for this reason.

Thanks George W. Bush !

[https://www.dhs.gov/homeland-security-presidential-
directive...](https://www.dhs.gov/homeland-security-presidential-directive-12)

------
droopybuns
John C. Dvorak has been complaining for years about how Google handles press
requests. I don't have a good link to point to that captures what he's stated-
but i'd summarize his position as this:

Google is completely shut down to journalists. They ignore press requests with
legitimate information requests and if they don't like the tone, you'll get no
official response. Dvorak observes that Google is starting to get worse and
worse coverage in mainstream tech media as a result.

When articles like this do come out, they're usually privileged access and
tightly controlled. Lots of beautiful photos of young, attractive google
employees "changing the world."

In this case, we have yet another article published talking about how google
is doing everything right.

Krebs is typically a reliable journalist, but this article stinks of
privileged access to me. The key point is right at the beginning of the
article:

Google has not had any of its 85,000+ employees successfully phished on their
work-related accounts since early 2017 [...] the company told KrebsOnSecurity.

How much trust should we be investing in The Great Google again?

~~~
snurk
Taken literally, the article only highlights a correlation - introduction of
the physical keys + absence of phishing. But Google may have introduced other
security changes as well. The article doesn't go so far as to say that the
switch to physical keys from SMS 2FA actually solved the problem on its own.

------
tonysdg
All I can think of is this fun story from a few years back:
[https://www.theregister.co.uk/2013/01/16/developer_oursource...](https://www.theregister.co.uk/2013/01/16/developer_oursources_job_china/)

------
EngineerBetter
Series of blog posts on how to use a YubiKey for SSH, 2FA, and 1Password:

[http://www.engineerbetter.com/blog/yubikey-all-the-
things/](http://www.engineerbetter.com/blog/yubikey-all-the-things/)

------
ringbugger
We use keys like the one pictured at our company. Handy for key stores of any
kind and for U2F.

That said, the dongles are an abomination of engineering. I know that USB-
jacks have a defined top. That is to no interest to vendors as it seems...

------
drcongo
You really have to trust something that you stick in a USB port and press a
button on.

~~~
drcongo
Seeing as I'm getting downvoted for this, we've already seen breaches due to
infected USB sticks being sold next to NATO in Kabul [1], these seem like a
pretty good black hat attack vector to me, especially as most employees are
going to carry these things around on a keyring so they don't lose them. It
only takes a second to switch it out for a compromised key when that employee
is at the bar.

[1] [http://uk.businessinsider.com/russia-planted-bugged-thumb-
dr...](http://uk.businessinsider.com/russia-planted-bugged-thumb-drives-to-
break-into-us-govt-computers-2017-3?r=US&IR=T)

~~~
joshuamorton
Each key is locked to an account. If you tap your key and it doesn't work,
that's a potential security issue to be reported.

~~~
drcongo
Yes, yes it is.

~~~
joshuamorton
My point is

1\. This is immidiately obvious 2\. You've now maybe pwnd a single device, but
in doing so you also removed any credentials from the device, so it's not
valuable 3\. USB mice and keyboards already exist, and are plugged in to most
computers.

~~~
palisade
I think drcongo's point is that if an operative meets someone at the pub and
swaps out a similar looking fob on his keychain for one that contains a virus.
It doesn't matter if you only "pwned" a single device, you're in the network
and it is time to start exploring.

~~~
joshuamorton
But you're not in the network. You have to authenticate to access the network,
and that requires the u2f key that you just removed.

~~~
palisade
Your virus is on a machine in the network, therefore you're in the network. At
that point, it is a matter of exploring the network, fingerprinting systems,
scraping for exploits, and attempting intrusions. Or, waiting until an
administrator does something silly like attempt to use their privileges on the
machine to accomplish some task. I believe this was exactly how the Sony hack
was conducted.

Edit: Also, at some point the employee will be reissued a new key fob for the
"broken" one and at that point they will enter their credentials into the
network again on that machine giving you access.

Edit 2: I guess a procedure that could prevent this is to require I.T. check
the serial number of a fob that has been reported as "broken" thereby
verifying there hasn't been a potential intrusion.

~~~
joshuamorton
As far as I know, at Google my work laptop has as much access to the 'network'
as my personal one does, at least until I'm authenticated. (Beyondcorp)

And the last time I plugged my keyring key into a computer was a year ago.
Most use the nano keys which you never remove from the history device.

~~~
palisade
Deleted

Edit: In answer to your response. Yup.

~~~
joshuamorton
I can't make heads or tails of this comment, likely due to hn formatting.

But as far as I can tell, this exploit requires 3-4 zero day exploits to be
discovered in a system the attacker has no access to, and to all go
undiscovered for an unknown amount of time for while said attacker is
exploring.

That's much better than "I can steal user credentials and then download an
exploit trivially."

------
urda
How does everyone keep track of where they have used their Yubikeys?

------
amaccuish
I wish smartcards had gotten more support. I like that it can combine two
factors in one authentication mechanism.

~~~
foepys
This is surprising to me as well. In Germany, where I live, the government is
using smartcards as authentication mechanisms at many places for at least 5
years now, if not 10 or more. The workers don't need passwords or user names,
they're simply plugging in their card into their keyboard and when they're
leaving for a break or are going home, they're taking their card with them and
everything locks automatically.

This is only working internally, externally they have to log into a VPN via
username/password and then have to use the smartcard as well.

I don't see why this is suddenly innovative.

------
snurk
> ...thieves can intercept that one-time code by tricking your mobile provider
> into either swapping your mobile device’s SIM card or “porting” your mobile
> number to a different device.

Are these theoretical attacks? Has this ever actually happened?

The article only correlates the end of phishing with introduction of the
physical keys. I'm wondering if it's really necessary - if typical 2FA via
one-time pw to SMS is easily sufficient.

~~~
vxNsr
Yes I can't find the articles now but there are reports of phishers using this
technique to get around 2FA over SMS.

~~~
SpaethCo
They got around 2FA over SMS because a number of services like GMail offered
_password reset_ via SMS as well as 2FA over SMS.

It was the password reset process that was the most vulnerable, and strangely
the part that kept getting glossed over when people reported on the takeover
incidents.

------
baxtr
Nice article. However a bit weird that they link to one of their advertisers
:/

------
IloveHN84
Imagine if a promoter of a technology implemented in their browser was
flawed/didn't work.

If you ask a wine producer how tasty his/her wine is, she would reply that's
awesome.

------
homakov
Same can be achieved without hardware part.

------
trumped
even Google employees fall for these phishing attacks?

------
kerng
If Google has an internal offensive pen test team, I assume they would likely
disagree with that statement, esp. since Chrome allowed (maybe still allows?)
to read Yubikey info via WebUSB for instance - only one click in UI that was
the mitigation.

If Google would authorize external hackers (eg via bug bounty), it probably
would take about 2-4 hours to phish an account successfully. :)

~~~
kyrra
I believe this is the key quote:

“We have had no reported or confirmed account takeovers since implementing
security keys at Google,”

Security keys basically remove the account takeover path, but there are still
many other types of phishing attacks out that are still effective.

