
Strengthening 2-Step Verification with Security Key - newscasta
http://googleonlinesecurity.blogspot.com/2014/10/strengthening-2-step-verification-with.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+GoogleOnlineSecurityBlog+%28Google+Online+Security+Blog%29
======
semenko
No one has mentioned the coolest feature of U2F/Fido auth: TLS Channel IDs.

Via an internal Chrome extension ("cryptotoken"), authentication state & the
handshake can be bound to a specific TLS session -- preventing cookie theft.
Incredibly cool: [http://www.browserauth.net/channel-bound-
cookies](http://www.browserauth.net/channel-bound-cookies)

~~~
sweis
This is indeed a cool feature. I hadn't been aware of it until now. I see that
Dirk Balfanz from Google published a IETF draft a couple years ago.

I need to digest the security implications, but it seems like a nice
mitigation to session theft.

~~~
zobzu
until tls session resumption gets more common and someone comes up with a "tls
session resumption is not in fact secure" :(

there were some talks in 2013 about this in various sec conferences

------
tokenizerrr
Interesting. I've hacked something together for my personal usage with my
OpenGPG smartcard for use on my Windows desktop and developer-mode chromebook.
In the end I had to work with "chrome native messaging" which basically calls
native binaries on the host OS and is a nightmare to set up.

This doesn't look like they're planning to start supporting existing
smartcards, but hopefully it's a first step?

My idea was to create a login page that requires the user to sign a secret
with their private key which can be completed manually, but also automatically
with the click of a button if the extension is installed. The key could live
securely on a smartcard or in the user's gpg keyring, it doesn't matter as
that part is deferred to gpg.

In case anyone happens to be interested, my un-documented prototype sits at
[https://github.com/r04r/GPGThing](https://github.com/r04r/GPGThing). It
consists of a chrome extension, a golang application do some juggling between
json input/output (which is a limitation by chrome native message passing) and
gpg, and apache configs to set it up as an authentication method.

There's some more hacks necessary to get it working on chromebook, including a
crouton installation with gpg.

~~~
iancarroll
Is there more info on GPG smart cards? I use a SafeNet eToken and highly
reccomend it but it does X.509 certificates instead of GPG.

~~~
tokenizerrr
I've found
[https://wiki.debian.org/Smartcards/OpenPGP](https://wiki.debian.org/Smartcards/OpenPGP)
a really good resource with plenty of links. There's also
[https://www.gnupg.org/howtos/card-howto/en/smartcard-
howto-s...](https://www.gnupg.org/howtos/card-howto/en/smartcard-howto-
single.html) &
[http://www.narf.ssji.net/~shtrom/wiki/tips/openpgpsmartcard](http://www.narf.ssji.net/~shtrom/wiki/tips/openpgpsmartcard)
which I've found helpful. Once they're set up they behave just as if the key
was part of your local keyring encrypted with the smartcard's passphrase, but
is of course only usable when the card is plugged in.

It actually seems like the Yubikey Neo also supports GPG, so that is quite
nice. I own
[http://shop.kernelconcepts.de/product_info.php?products_id=4...](http://shop.kernelconcepts.de/product_info.php?products_id=42)
&
[http://shop.kernelconcepts.de/product_info.php?products_id=1...](http://shop.kernelconcepts.de/product_info.php?products_id=119)

------
semenko
EDIT: Looks like this is now working! Looks like there is a tiny UI bug --
make sure your account is correctly selected on the Security Token page if you
have multiple accounts signed in. #userError

Ouch, looks like a serious downside is that a given key can only be used with
one Google account.

Trying to add a U2F-compatible token to more than one Google account results
in errors: "This Security Key is already registered. Use a key that is not
registered yet and try again."

~~~
Someone1234
I just looked at the specification for this, it looks like a Google-specific
limitation. There's no reason why a single site couldn't support the same U2F
for multiple accounts.

In fact in Google's presentation they advertise a husband and wife using the
same exact token for both of their accounts [0].

[0]
[https://sites.google.com/site/oauthgoog/gnubby](https://sites.google.com/site/oauthgoog/gnubby)

~~~
semenko
Ah, it looks like their FAQ also says this is supported:

    
    
       Can I use the same Security Key with multiple Google Accounts?
       Yes. You can register the same Security Key with multiple Google Accounts.
    

[https://support.google.com/accounts/answer/6103543?hl=en](https://support.google.com/accounts/answer/6103543?hl=en)

------
rlpb
How does the challenge get from the web browser out to the USB device? I've
spent some time looking for a specification, but haven't managed to find the
answer to this question.

~~~
elteto
The device probably registers as a USB keyboard, and it "types out" the
2-factor code when you tap it.

~~~
rlpb
Right, but how does the challenge get to the device?

"Security Key is a physical USB second factor that only works after verifying
the login site is truly a Google website, not a fake site pretending to be
Google."

The specs say that a challenge is involved. The device must receive the
challenge. "Typing out" keys isn't sufficient unless that typing can go the
other way. And in the OS, there has to be support for Chrome to send data to
such a device. Normal keyboard input is not sufficient for this. This is what
I'm looking for clarity on.

------
kmfrk

        Security Key does not work on browsers other than Chrome.
    

Well that's a bummer.

Doesn't mean it can't be useful in some settings, though.

~~~
wlesieutre
Also this though:

> Security Key and Chrome incorporate the open Universal 2nd Factor (U2F)
> protocol from the FIDO Alliance, so other websites with account login
> systems can get FIDO U2F working in Chrome today. _It’s our hope that other
> browsers will add FIDO U2F support, too._

~~~
philip1209
If you share the same FIDO U2F key between services, does that mean that one
service could spoof tokens for a different service?

e.g. foo gets compromised, so attackers can generate codes for google apps.

~~~
ef4
No. There are no shared secrets. This is real asymmetric crypto.

------
eykanal
So, we recently had a bunch of articles coming out on "the fundamental
insecurity of USB" [1]. How does that jive with a USB-based security key?
Can't this be "flashed" like any other USB device?

[1]:
[https://www.schneier.com/blog/archives/2014/07/the_fundament...](https://www.schneier.com/blog/archives/2014/07/the_fundamental.html)

~~~
mankyd
The insecurity relates the problem with allowing random usb devices to be
plugged into a computer. Specifically, it points out that, even if you wipe an
usb stick, you still can't trust that it's safe.

The devices that Google is referring to should be inherently safe. If you
don't trust the supplier of these devices then yes, that's an issue. But, in
theory, you receive these from a trusted source. As long as the device doesn't
leave your possession, you're ok.

Edit: I should add that I didn't quite summarize the vulnerability correctly.
If you plug a trusted USB device into an untrusted computer, you also have the
potential for attack. If the USB device can be made writable, the computer can
infect the USB device, propagating malware forward. I _assume_ that these
security keys are made read-only before they leave factory, but
vulnerabilities can be found in the darnedest of places!

~~~
Buge
I have a Yubikey and it isn't read only. You can customize how it works with
software they provide.

~~~
fluidcruft
Setting parameters in the device is different than replacing the firmware. The
attack requires replacing the firmware. As far as I know yubikeys have never
been able to update firmware after they've left the factory. In the forums you
will see yubico people offering to swap devices because of problems related to
outdated firmware.

There was also a blog post by yubico confirming that the badusb attack is
irrelevant on yubikeys. [https://www.yubico.com/2014/08/yubikey-
badusb/](https://www.yubico.com/2014/08/yubikey-badusb/)

I think the take away is that all the devices are read only except the Neo and
the Device Firmware Upgrade (DFU) implementation on the Neo "requires the new
firmware image to be signed by [yubico]. Yubico does not endorse nor support
use of DFU for users"

The Neo also has javacard capability that lets you load applets. In the latest
devices unless you purchase the developer editions, the javacard apps cannot
be updated.* Older Neo's allowed you to build and load your own javacard apps.

* I'm not entirely sure about whether in the latest Neos the javacard apps can be updated to new official signed yubikey versions or whether the javacard apps cannot be updated at all...

------
tantalor
Some comments are pointing out how awkward this might be,

> I don't see a point in plugging my entire keychain (the physical keychain,
> with my car keys) into my laptop every time I want to log in

> I'm not sure about having to plug it in every time

I'll share my experience. I use two of these on a laptop and desktop and I
have never unplugged them; there's no reason to. They sit very flush in the
USB slot. I suppose if I ever needed the extra USB slot for something else I
might unplug it.

~~~
dingaling
> I use two of these on a laptop and desktop and I have never unplugged them;
> there's no reason to.

I use a Yubikey for ${WORK} and we are required to remove such tokens as soon
as they have fulfilled their purpose. On pain of disciplinary action, as it is
considered on par with leaving a password on a Post-it.

Otherwise there's no point in them as an additional security step in the event
that the laptop is lost or stolen.

~~~
tonfa
If laptop is stolen you can revoke it, and your password shouldn't be
compromised at this point. And hacking through phishing is way more likely in
any case (security keys protect against it while regular 2fa doesn't).

~~~
bjeanes
Additionally, if somebody removes the token, dumps a bunch of OTPs and then
puts it back, as soon as you use the token once, it will invalidate all
previous ones so their dump will be reasonably useless. I leave my key in my
computer _when I 'm at my desk_ but have it attached to my keychain so that I
take it with me if I leave my desk.

~~~
tonfa
FYI the nice thing with security keys, is that you can't actually do that
(dump a bunch of OTPs to use later).

------
StavrosK
This is very interesting. Is this Yubikey-compatible?

[http://www.amazon.com/Plug-up-
International-U2F-SK-01-FIDO-S...](http://www.amazon.com/Plug-up-
International-U2F-SK-01-FIDO-
Security/dp/B00OGPO3ZS/ref=sr_1_1?ie=UTF8&qid=1413900231&sr=8-1&keywords=FIDO+U2F+Security+Key)

Can I buy one of these to use with SSH auth/password programs/Chrome?

~~~
higherpurpose
It should be:

[https://fidoalliance.org/adoption/video/yubico-fido-
alliance...](https://fidoalliance.org/adoption/video/yubico-fido-alliance-
universal-2nd-factor-u2f-demonstration)

[https://www.yubico.com/products/yubikey-
hardware/fido-u2f-se...](https://www.yubico.com/products/yubikey-
hardware/fido-u2f-security-key/)

~~~
iancarroll
Blog post: [https://www.yubico.com/2014/10/google-releases-support-
fido-...](https://www.yubico.com/2014/10/google-releases-support-
fido-u2f-security-key/)

------
barrkel
This seems to me to be a bit of a narrow market. At the upper end of secure
machines, USB ports will be physically disabled. And if you're not hyper
security conscious, you're not going to bother with a physical key.

So with this, you need to be somewhat paranoid, but not totally paranoid.

~~~
jlgaddis
> _At the upper end of secure machines, USB ports will be physically
> disabled._

Those same organizations would likely be looking at PKI-based smart cards that
they issue themselves over something like this, though.

~~~
aroman
Yes, and that's exactly OP's point — it's a narrow market.

~~~
richbradshaw
A narrow market that includes all domestic Chrome users who use Google
services.

------
IgorPartola
Cool, but I will continue using the Google Authenticator app. Google is not
the only thing that requires 2FA, so do numerous other sites, and GA app is
the most widely supported and the least pain in the behind. I don't see a
point in plugging my entire keychain (the physical keychain, with my car keys)
into my laptop every time I want to log into GMail, much less carrying around
10+ different USB tokens.

Now, a NFC-based token where I don't have to type anything in, or an
iWatch/FitBit/whatever type wearable as a token would be pretty cool. Or even
better: a universal library/service that abstracts which token I use. That way
I can have multiple tokens for different situations.

~~~
sciurus
IMHO the Authy app is nicer than Google Authenticator.

[https://play.google.com/store/apps/details?id=com.authy.auth...](https://play.google.com/store/apps/details?id=com.authy.authy&hl=en)

[http://itunes.apple.com/us/app/authy/id494168017?mt=8](http://itunes.apple.com/us/app/authy/id494168017?mt=8)

~~~
scott_karana
Maybe the UI is nicer, but the permissions on Android are unnecessarily
intrusive, which—to me—is a dealbreaker with a _2FA manager_.

    
    
      Device & app history
          read sensitive log data
      
      Identity
          find accounts on the device
      
      Camera/Microphone
          take pictures and videos
      
      Wi-Fi connection information
          view Wi-Fi connections
      
      Other
          receive data from Internet
          access Bluetooth settings
          pair with Bluetooth devices
          full network access
          view network connections
          control vibration
          prevent device from sleeping
          send sticky broadcast
    
    

Contrast this with Google Authenticator:

    
    
      Identity
          find accounts on the device
      
      Other
          control vibration
          full network access
          use accounts on the device
          create accounts and set passwords
          close other apps
    

[https://play.google.com/store/apps/details?id=com.google.and...](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2)

~~~
avree
Well, each of those permissions they request ties to a very obvious and useful
feature.

Camera/Photo for QR code-based 2FA, Bluetooth permissions and Internet Data to
handle local connection to trusted machines and callbacks from sites like
Coinbase (when I log into coinbase, I get a handy 2fa notification from authy
that leads me right to the code)

Log data is the most questionable, but it really makes debugging so much
easier when you can see what's going on, and is a pattern/permission they
share with Evernote, foursquare, fring, Netflix, Rdio, Dolphin Browser,
AccuWeather.com, Hotmail, doubleTwist Player, MOG, Handcent SMS, Bump,
TweetCaster, etc.

~~~
philsnow
Wait, Google Authenticator lets you provision accounts by scanning a barcode,
how does it not list "take pictures and videos" in its permissions manifest ?

~~~
wmf
IIRC Google Authenticator uses a third-party barcode scanner via an intent.

------
Someone1234
Shame I have to pick EITHER 2-step or Security Key.

My ideal would be to use Security Key to bypass 2-step on devices that
supported it and then use 2-step elsewhere.

For example, some public computers have the USB port literally glued shut,
therefore Security Key won't work. In those cases I'll still have my phone
with me and could bypass it via 2-step.

Essentially I want to use the Security Key as a way to save me typing in my
2-step code because I'm lazy, rather than to "add" security.

Google's current 2-step "remember-device" doesn't really work for me as it
utilises cookies which get cleared. I could add it to a white-list of
preserved cookies but they use obscure often changing sub-domains.

~~~
handsomeransoms
You _don 't_ have to pick one or the other. According to the FAQ [0] (linked
from the blog post):

"In general, you’ll still be able to use a verification code the way you
normally do on any device that doesn’t support Security Key."

[0]
[https://support.google.com/accounts/answer/6103523](https://support.google.com/accounts/answer/6103523)

------
snowwrestler
To me, USB seems more and more like a security problem in general. Operating
systems trust USB devices implicitly, despite the fact that every single one
is a little computer of its own that can be compromised.

2-factor auth via a mobile device airgaps the devices from one another, which
seems like a great idea for security. If both factors are directly connected
by a trust-by-default data channel, it seems at least possible that one
exploit could affect both factors.

------
billpg
My worry about using my phone as the second factor is that my phone is
attractive to thieves. I would personally prefer to carry around a keyring
with many fobs on it.

~~~
jberryman
It seems a bit cheesy, but I just put a lock screen on my phone. I figure if
anyone steals it, they're unlikely to have the chops to bypass it without
wiping the phone (I assume that's possible with adb at least). That combined
with Google's remote wipe functionality and I'm pretty comfortable with the
theft scenario.

------
higherpurpose
Could we instead use smartwatch Bluetooth or NFC (probably better, I don't
like the long range of Bluetooth for something like this) to unlock sites
instead of these USB keys? Does the FIDO Alliance support such a protocol? I
know Android 5.0 supports that but it's only for unlocking the phones (and
Chromebooks I believe). But what about sites? Or is that too risky compared to
an USB key?

~~~
minisu
FIDO U2F strives to support Bluetooth and NFC, see
[https://fidoalliance.org/specs/fido-u2f-overview-v1.0-rd-201...](https://fidoalliance.org/specs/fido-u2f-overview-v1.0-rd-20141008.pdf)

------
AdmiralAsshat
I like the idea of a physical key distinct from the phone, but I'm not sure
about having to plug it in every time and/or restricting it to Chrome devices.

Is there some way that it could instead be made compatible with a device like
the RSA SecurID tokens? That way it remains separate from the devices I'm
trying to get into and doesn't require a USB slot.

~~~
amluto
Unfortunately, the FIDO Alliance seems to have forgotten to specify CCID
bindings for U2F (i.e. they left out the trivial part of the protocol that
would describe how to talk to one of these tokens in a smart card slot or over
NFC). The specs describe USB HID bindings.

[https://fidoalliance.org/specifications/download](https://fidoalliance.org/specifications/download)

------
chris-at
Sounds like an interesting idea but isn't it a bit limited? I can only use it
on a computer, not on mobile devices.

~~~
pgeorgi
Yubikey Neo should provide FIDO U2F over NFC.

~~~
kissickas
So the mobile version of this would be /less/ secure than standard 2FA?

~~~
emu
Why? Even if you can eavesdrop on the NFC communication, how does intercepting
the challenge/response help you?

~~~
kissickas
I'm just asking, because I have no idea how this works. I figured an assailant
could more easily make use of an NFC signal than they could see the code on
the front of the device in the short time it takes you to memorize or
copy/paste the code.

~~~
nyolfen
it uses an OTP so even if they intercepted it, it wouldn't be useful

------
fidotron
Would be good if next gen chromebooks have a bay on the bottom with a USB
socket so you can leave one of these attached without it dangling off the side
(and maybe permanently glued in by paranoid IT). Another trick might be NFC in
the palmrests that can detect your watch . . .

Looks like a solid step in the right direction though.

~~~
DEinspanjer
Yubikey's first offering that is U2F compatible is that bright blue USB key,
but they have previously offered a USB key that is almost flush with the port,
and the conductive contact is on the edge of it. I suspect they'll be updating
that product to offer U2F soon, and it should be a better fit for what you are
asking.

~~~
cdjk
They already have with the neo-n:

[https://www.yubico.com/products/yubikey-
hardware/](https://www.yubico.com/products/yubikey-hardware/)

It does cost a bit more than the U2F-only version, however.

------
danielsju6
Super cool; this a great win on the path to U2F acceptance. I ordered a key to
try it out; I've been meaning to anyway. I want to try out the using U2F via
NFC on Android and see if I can hack something together using Apple's private
NFC framework. Wish the tokens had BTLE compatibility though.

------
jessaustin
ISTM that a nice feature for HN would be to strip out the

    
    
      ?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Google...
    

crap that gets stuck in URLs occasionally when people use RSS readers. In this
case it doesn't seem to include any PII but I think sometimes it does?

------
bjelkeman-again
With more interaction online moving to smartphones and tablets, what do we do
instead of USB hardware keys like these?

~~~
x1798DE
Probably a similar device but with some sort of low-power NFC transponder
rather than a physical connection.

~~~
janzer
I've never used it but, [https://www.yubico.com/products/yubikey-
hardware/yubikey-neo...](https://www.yubico.com/products/yubikey-
hardware/yubikey-neo/) seems to fit the bill.

~~~
jgrowl
I have one. It is pretty cool but it hasn't been real useful up until now. I
haven't found many apps that support it.

I ended up just grabbing the clipboard app that yubikey puts out.

I tried using the static password feature by using it as part of my master
password in 1password but the newer versions of 1password block using the
clipboard in android (with good reason). It would be pretty awesome if
password-managers added support for it.

~~~
ascorbic
LastPass supports Yubikey natively, including on mobile.

------
bluesign
I don't get this, what about malware pretending to be a browser? Is there a
protection against this in protocol

~~~
wmf
Yes, I think the protocol protects against MITM and replay attacks.
[http://fidoalliance.org/specs/fido-security-
ref-v1.0-rd-2014...](http://fidoalliance.org/specs/fido-security-
ref-v1.0-rd-20140209.pdf)

~~~
yanonymator
No, not really - if you're a MITM, you control what the user sees, as well as
what gets sent to the device, and nothing prevents those 2 things being
different. You might _SEE_ that you're sending $100 to Grandma, but when you
tap the key, you're authenticating your entire bank balance to some place in
the Bahamas.

------
hangonhn
Not much of an improvement over 2FA using my phone because the times when I
really need it to be easy is when I'm browsing on my phone. Since this is USB
I can't use it on my phone. When I'm on my laptop I just pull out my phone and
type in a short code and be done with it.

~~~
orclev
Not sure how it will interact with this, but at least one of the compatible
Yubikey devices that was mentioned also supports NFC specifically for use on
mobile devices that lack USB ports.

~~~
orclev
As an addendum to this, after looking over the spec, it appears that the
FIDO-U2F protocol currently _only_ supports USB, but that support for NFC and
bluetooth is planned in later versions of the specification. Presumably a
firmware update sometime down the line would be sufficient to bring the
Yubikey device up to date with the NFC standard and allow it to work over NFC
in addition to the currently supported USB version of U2F.

~~~
amluto
Yubico doesn't allow firmware updates. They do, however, support the
GlobalPlatform standard for uploading new JavaCard applets, and, if the NFC
bindings were designed such that a JavaCard applet could implement it, then a
U2F applet could be uploaded to an existing YKNeo.

------
wnevets
is this the result of the partnership with yubikey?

~~~
higherpurpose
Google is supporting the FIDO U2F standard just like Yubikey now.

~~~
yanonymator
They pay upwards of $100k+ per year to have a seat on the board and direct the
"standard" to suit their products.

~~~
SEMW
Your comment reads as if you believe that having an authentication standard
that suits the products of the largest webmail provider is somehow bad. I'm
having trouble understanding this. Better suiting the use-case of things like
gmail seems like unequivocally a good thing. (As does the consortium being
better funded by $100k+ a year, for that matter.)

