22
Oct 14

Google Accounts Now Support Security Keys

People who use Gmail and other Google services now have an extra layer of security available when logging into Google accounts. The company today incorporated into these services the open Universal 2nd Factor (U2F) standard, a physical USB-based second factor sign-in component that only works after verifying the login site is truly a Google site.

A $17 U2F device made by Yubikey.

A $17 U2F device made by Yubico.

The U2F standard (PDF) is a product of the FIDO (Fast IDentity Online) Alliance, an industry consortium that’s been working to come up with specifications that support a range of more robust authentication technologies, including biometric identifiers and USB security tokens.

The approach announced by Google today essentially offers a more secure way of using the company’s 2-step authentication process. For several years, Google has offered an approach that it calls “2-step verification,” which sends a one-time pass code to the user’s mobile or land line phone.

2-step verification makes it so that even if thieves manage to steal your password, they still need access to your mobile or land line phone if they’re trying to log in with your credentials from a device that Google has not previously seen associated with your account. As Google notes in a support document, security key “offers better protection against this kind of attack, because it uses cryptography instead of verification codes and automatically works only with the website it’s supposed to work with.”

Unlike a one-time token approach, the security key does not rely on mobile phones (so no batteries needed), but the downside is that it doesn’t work for mobile-only users because it requires a USB port. Also, the security key doesn’t work for Google properties on anything other than Chrome.

The move comes a day after Apple launched its Apple Pay platform, a wireless payment system that takes advantage of the near-field communication (NFC) technology built into the new iPhone 6, which allows users to pay for stuff at participating merchants merely by tapping the phone on the store’s payment terminal.

I find it remarkable that Google, Apple and other major tech companies continue to offer more secure and robust authentication options than are currently available to consumers by their financial institutions. I, for one, will be glad to see Apple, Google or any other legitimate player give the entire mag-stripe based payment infrastructure a run for its money. They could hardly do worse.

Soon enough, government Web sites may also offer consumers more authentication options than many financial sites.  An Executive Order announced last Friday by The White House requires the National Security Council Staff, the Office of Science and Technology Policy and the Office of Management and Budget (OMB) to submit a plan to ensure that all agencies making personal data accessible to citizens through digital applications implement multiple layers of identity assurance, including multi-factor authentication. Verizon Enterprise has a good post with additional details of this announcement.

Tags: , , , , , , ,

100 comments

  1. ‘…[M]ore secure and robust authentication options than are currently available to consumers by their financial institutions. ‘

    Right. It dismays be that my bank (Chase) doesn’t offer any 2-factor ID. But I can’t find one that does, so I’m stuck with them.

    • @David T, Several institutions have 2fa, but many of them make it hard to find. For quick links look at https://twofactorauth.org/#banking .

      • blackjackshellac

        Ha ha, on a site (https://twofactorauth.org) with an invalid cert, perfect.

        • and…so? Site has to have a valid cert to have valid info? /logicfail

          • No, not a logic fail.

            While the info may or may not be accurate, a site that is supposedly providing info on security might be expected to meet minimum best practices itself. Not having a valid certificate makes me question everything else they tell me.

            It’s like a Doctor with a cigarette in his hand telling you to stop smoking.

            • The certificate presented isn’t “invalid”. It’s a cloudflare cert. They’re free (and on by default now I think) for cloudflare hosted sites but they don’t include custom hostnames.

              A few hosting companies are doing this now – and it’s good in one sense, but they really should be adding the custom hostnames as SANs.

    • My credit union does, in the form of a code called back to my cell phone.

    • Bank of America offers two-factor authentication using RSA SecureID. They seem to implement it correctly, asking for a new ID just ahead of any important transaction, heading off a man-in-the-middle attack that scrapes an ID and then dumps the user with an error message.

    • @David Chase does have 2FA … at least the Credit Card site does. If I login from a different PC, it sends me a text. You might have to do some more research.

    • Bank of the West

      They’re all over personal security!

      • I use BOTW and have found no offers for better security, in fact they just removed the image verification step from their logon process. In addition they appear to have a slapped together internet services offering that looks like someone took a mainframe and attempted to “weberize” it.

        Please post a link to the BOTW 2fa information, I’d love to see some improvements in their services.

    • My bank doesn’t even allow complex passwords…no special characters and can’t be longer than 8 chars. I think it’s time to find another bank!

    • My bank doesn’t even allow complex passwords…no special characters and can’t be longer than 8 chars. I think it’s time to find another bank!

    • http://twofactorauth.org/ indicates that Chase does have 2fa:
      https://mobilebanking.chase.com/Public/Docs/Faq?nodeId=1&itemId=2

      What you should be dismayed by is that they (Chase) didn’t tell you.

      It actually came up recently, when Chase was breached (at least a database with accounts and passwords was exfiltrated), they said that some customers wouldn’t be impacted because they have two factor authentication enabled. — Unfortunately, I can’t find a citation for that right now.

    • William Hugh Murray

      Actually Chase does offer strong authentication to some customers. I am not sure how one qualifies but I suspect a business account is one of the hurdles.

  2. I saw a story about this yesterday – the details about the underlying technology are very sparse at the moment.

    And to test this, one needs to purchase a physical key (which one can purchase from Amazon – search for U2F). Price starts at 6$ and goes up to 50$. The 50$ key includes other capabilities – the cheaper ones can only be used for U2F.

    I will probably order one just to play with. I have experimented with earlier versions of such keys from a company called Yubico, but those worked differently and were never integrated into a browser (they were integrated with the PasswordSafe that I use to store the plethora of passwords that I have).

  3. “because it uses cryptography instead of verification codes and automatically works only with the website it’s supposed to work with”
    Slight correction here: the current system is a form of cryptography, it relies on a shared secret between you and google (assuming you are using the authenticator app) which it derives nonces from. There is nothing less “cryptographic” about this than this new device :/. Sending random codes over SMS (which is easy to intercept) is criminally stupid of course and people need to stop doing it.

    • That’s a direct quote from Google, not my explanation.

    • It is NOT a shared secret, but a public key setup, with a different public key for every site, with a “Leap of Faith” style initial key exchange.

      The authenticator device supports two operations: “Register” and “Authenticate”

      Register has the device given a 32 byte challenge (nonce) and a 32 byte application parameter. It generates a new public/private key pair (ECC with P-256 as the curve).

      It returns the new public key, a “key handle”, an X509 attestation certificate, and a signature over the public key, application parameter, challenge parameter, key handle, and public key.

      This is then returned to the site, so the site knows the user’s public key with the given key handle. This is a “Leap of Faith” key exchange, that you basically trust in setting up/registering a new token.

      Authenticate takes a 32 byte challenge, 32 byte application parameter, and the key handle, and returns “was a user there”, a 4 byte counter of the # of signatures this device has done in its lifetime, and a signature over the app parameter, user presence, counter, and challenge.

      This is then returned to the server, which can now verify that the signature was created by the private key associated with that user.

      • Thanks for the explanation. I was under the impression that it was using the standard TOTP protcol but I guess they developed their own protocol, fair enough!

        • Overall, the protocol is very cute and well done: Its designed to not just say “the device is in the computer” but “a human is at the computer” because at least some devices like the YubiKey device have a push-button that must be pressed.

          It is also, blessedly, a very dumb crypto protocol: it doesn’t try to be fancy, it doesn’t support lots of variant curves or anything else.

          It does need the addition of “User consent for transaction”, basically a “display string/audio string” pair that is also included in the signing and needs to be played before the user presses the button in order to enable authenticating transactions rather than just devices, but that would be easy to extend into the protocol.

          The only distant worry I have is P-256 itself: it has NIST-defined magic numbers which make people worry. I’d be more comfortable with good, ol 4096b RSA for the public key operations, but I’m paranoid on math I do not understand, and really paranoid on crypto with such opaque magic constants as the NIST curves use: dual-EC was a wake-up call.

  4. I do not need/use a mobile phone, so the current 2FA leaves me out. I guess there are a few of us, so I hope more consideration is given to us.

  5. Interesting development .. But need to use Chrome (ie no FF, IE, Opera, or Safari), and need to BYOD.. Prices $6-$60, but only 3 choices, who knows what’s the right thing to buy for this, etc.

  6. I applaud the intent, and agree that banks do seem to be hugely behind on this technology.

    That said, I do hope they’ve checked that these keys aren’t vulnerable to Bad USB variants. I wouldn’t want to engage in two-factor authentication & discover malware has just gone a further step to infecting my USB token and harvesting its data (either in advance or in real time)

    • Jeff, Yubico claims to be safe wrt BadUSB:

      https://www.yubico.com/2014/08/yubikey-badusb

      “The firmware is in non-alterable ROM and can hence not be updated”

      • Good to know, thanks!

      • Peter, is that just Yubico or is it part of the standard? If the standard permits firmware-upgradeable USB then it is not secure.

        • @Stephen H

          USB spec requires firmware to be updatable by anyone. They might be re-thinking this…

          Yubikey breaks the spec.

          • So what?
            They break the spec- there’s a damn USB spec for the side of the connector the USB symbol is to be printed on. I have a few devices which are therefore “out of spec” and have been working just fine for 10+ years.

            “Out of spec” does not mean it’s broken or useless. In the case of a security dongle that needs to be hardened against attack, I WANT the “firmware upgradeable” business to be disabled. The device is cheap, if it goes bad in the future (and again, these things are extremely durable, I’ve been using yubico products for over 6 years), I will buy another one.

        • Stephen H,

          To the best of my knowledge it’s just Yubico, and it does seem to be a sensible approach IMHO.

  7. TheOregnoRouter.onion.it

    Note here that I read that these Gmail and Google security tokens ( Example Yubikey) log-in’s , only work with Chrome and not with Firefox and Internet Explorer

  8. Last I checked, this didn’t work with Google Voice numbers!

    • I use google 2fa with Google Voice every day. It will text or call me my verification code. I also use it with Microsoft 2fa.

  9. I’m interested in this because I don’t have a mobile phone, and the landline I do have has no display so 2FA using texts can’t work for me.

    So I’ve ordered the cheapest unit I could find ($5.99+shipping that claims to be $2 – from Plug-up Intl in France) as a test.

    The amazing thing is the stark contrast in pricing: the most expensive unit (from a different provider) costs $60 + shipping.

    There are also two forms of dongle available: one is U2F, the other UAF.

    I have a 2FA fob from PayPal that’s worked well for me for some years now, and only cost $5. Bank of America briefly offered a similar unit but for $35, and they don’t seem to have kept it going (probably because at that price they had few takers).

    Since I’m stuck with Windoze XP SP3 (my hardware can’t support later MS OS and I have $0 available for a new machine) I need something other than the flakey EMET, the free version of ZoneAlarm, and various on-demand antivirus scanners such as ClamWin, to try and help keep me as secure as I can be.

    (And yes, I have explored Linux, but for now I’m stuck with Windoze because almost all of my development is for that environment; I will be (slowly) making the transition, though.)

    • William Hugh Murray

      Googlee’s landline option “speaks” the OTP to you. It uses spoken language. Requires no display. Will work with an iron phone.

      The Google implementation is very well thought out. Please do not over complicate this. The number of applications and environments in which none of the options work is vanishingly small.

      Please do not make the perfect the enemy of the good. That is a large part of the resistance to strong authentication. It is an argument that we apply only to the technology we are not using. If you want to use it, try it on passwords first.

      • William,

        What you say is only partially true. However, Google cannot handle landline numbers that have extensions, which is my situation (my home number requires navigation through a PBX; it used to be possible to handle such situations by incorporating commas (as pauses) to allow such navigation – usually for fax numbers – but Google does not allow non-numeric characters in the phone number).

        I checked to see whether I could be sent a spoken token through Google Voice (linked to a cellphone that is no longer functional) but it fails; the connection is made but the call is dropped before the voicemail message completes.

        I have written to Google in the past to suggest that they consider including a provision to allow the use of extensions for home numbers but never received a response.

    • First of all, use a browser other that IE. XP is stuck with the outdated IE8, while Chrome and Firefox will be updated on XP for the foreseeable future.

      Disable browser plugins you don’t use, and consider setting the plugins you do use to click to play.

      Use the noscript addon. Noscript can be a little difficult to configure (a lot of sites need JavaScript enabled) but it makes many exploits, from JS interpreter vulnerabilities to XSS, very difficult if not impossible.

      Use Sandboxie. It keeps the new and modified files that a program makes in their own sandbox, and you can delete the changes when you close the program. This makes it hard for a virus to stay on your system. It also makes it difficult for ransomware like Cryptolocker to encrypt all your files. Just empty your sandbox and your hard drive’s back to normal.

      Use HTTPS Everywhere, especially if you use WiFi. This plugin makes it harder for your traffic to be snooped on by opting to encrypt traffic with sites that support it.

  10. It’s ironic that Google is trying to secure it’s user’s information between the browser and company servers while many, if not most, financial institutions with far more dangerous personal information rely on antiquated measures. For a long time at least one bank I know of required IE 6 till it was EOL because it was “more secure than it’s alternatives” Said so right on it’s website.

    What’s even more ironic, is that the information on Google’s servers is not safe even then. Google markets, uses internally and sells services based on that data to ‘partners’ harvested from all Google services. It also is required by law to share all pertinent information to law enforcement or the various spy agencies of at the very least the US and UK governments. So even if the middle man snooper is cut out, that information is still not safe.

    • It’s not ironic it is simply greed.
      It costs the bank money so they don’t invest in it unless they can bilk the consumer for “service fees”.

      At least with Google you knew when you signed up what the cost was. Your information would be used to market to you.

      When I use the bank I expect to pay for service and get that service, but instead I get service fee’d to death and receive crappy security.

  11. I ordered the middle priced key ($20) yesterday to try out. As far as the problem of using the key with a mobile phone, I noticed that one of the more expensive keys has NFC capabilities. That would seem to take care of that problem, as long as it works with the Google implementation. That particular model key sold out quickly.

    These keys appear to be a brand new product on the market, and I would expect many more to show up and the price to drop quickly, probably down toward the $6 that the one shipping from France costs. I almost bought that one, but the delivery was estimated to be the end of November to the middle of December.

    I would love to see my credit union adopt something like this.

    • I’m confused, I saw some youtube videos on how crooks can clone your information using nfc scanners… so how is nfc technology an advancement in security?

      • I was referring to Google Authenticator, which generates a 6 digit code that must be entered in addition to password in a shortish time window. Google can send that code via SMS or you can run an app to generate the code. Having accuratish clocks is a requirement for the latter.

        The NFC stuff used in Google Wallet is a different beast.

        So Many Standard to Choose From!

      • William Hugh Murray

        NFC offers no security. The security must be in the application. For example, if one uses it to pass a one-time digital token, it matters not if it is intercepted.

        For example, Apple Pay passes an EMV token. It is orders of magnitude safer than an RFID credit card, which uses the same contactless reader as Apple Pay but which passes the credit card number and the owners name.

        (While it is true that an RFID card can be read in your pocket, the reader must be within inches. if one gets that close to where I carry my credit cards, one is likely to get an elbow to one’s nose.)

  12. So where does this leave Google Authenticator?

    On the subject of why banks don’t offer 2FA to their consumer customers, it comes down to a support issue. Those banks that experimented with 2FA back more than a decade ago, found that too many people lost/misplaced their fobs. In addition, the 2FA process apparently was more than a lot of people could handle. The bottom line was it was a customer support nightmare. People blamed the bank for their own stupidity/incompetence. Rather than educate, the banks bailed.

    • GAuth isn’t going away. This is just one more option. I personally prefer GAuth. It’s not really something you have, but rather something you know (a long pre-shared secret) which is used to generate TOTP. The nice thing is that I can have it on my Android device, or anything that can a GAuth app(let). I just need to have my pre-shared secret (of which I have a copy printed out in my safe) and I’m able to use it again. Downside is that if my phone were to be hacked, potentially this pre-shared secret would also be compromised (along with my stored Google password).

      • “I just need to have my pre-shared secret (of which I have a copy printed out in my safe)”

        What do you think of taking a picture of the QR code displayed during setup and storing those pictures on a SD card in a safe deposit box? You would use the picture to setup Google Authenticator instead of directly from your computer monitor to be sure the picture was readable.

    • William Hugh Murray

      Google’s strong authentication offers options to minimize the support cost. The user even has backup options that can be invoked on a per use basis.

      By the way, if my little three branch bank can offer strong authentication as an option, any bank can. For most banks it is an option in the software or service that they are already paying for. All they have to do is turn it on and let the customer choose.

    • Security ALWAYS has one major problem:

      the meatsack using it. People are the weakest link. Anyone that works in security knows this, and I can’t imagine anyone making an effective argument against it.

  13. I’ve been quite happy with Google Authenticator on two Android phones for 2FA with critical Google, Amazon AWS and LastPass credentials… the printed ‘one-time use’ codes are a great failsafe. No SMS involved.

    • Google Authenticator is also more general than this is (yet). One can have authenticator (program on iphone, android, whatever) do 2nd factor authentication against, for instance, a Linux workstation.

      You can have multiple keys running at once so the Google account authentication code can have nothing to do with the code for the workstation (except of course they are running the same algorithm).

      ..and, as you said, no SMS involved.

      Happy to have the option of a hardware token though.

  14. I am currently using Symantec Vip access app for my iPhone.
    I started using it after my paypal token died.

    Seems to be a reasonable alternative.

    When are companies like Amazon going to offer 2FA for their users?
    I’d sure feel a lot better knowing that there’s something there in adddtion to my crappy password.

    • William Hugh Murray

      I have the same question. However, I remain comfortable using Amazon because they confirm every transaction out of band.

      I am much more concerned that they use strong authentication for insiders. eBay did not. After their breach, I closed my account and sold my stock. As of June, Facebook did not. They are a breach we have not heard about yet.

  15. So its Google proprietary….

    What if there is an unknown/undiscovered bot or malware on that device that now has authentication rights? Will it be able to authenticate as well? Probably.

    So, in other words, it may knock out hijacking and MItM attacks, but thats about it.

  16. TheOregnoRouter.onion.it

    A bigger problem is with smart phones and tablets, which typically don’t have full-sized USB ports Furthermore, this type of token log-in could be enabled by way of a newly developed Bluetooth enabled device :–)

  17. I already use Google’s Authenticator application on my smartphone for 2FA, will that continue to work even if I get a U2F key (i.e. so I can authenticate with the app if I don’t have the key available and vice-versa)?

  18. I recently applied for Medicare using the government’s online website.

    There was no request to provide proof of who I am. All I needed was my name, SSN, date of birth and place of birth. Anyone who had the correct information could have applied and been approved.

    Clearly, the federal government is lax in any type of identity security at least in this case.

    • Brian has written articles about the Social Security Administration website and Medicare fraud. I don’t know if any of the information would be helpful to you. You might have to go personally going to the local Social Security offices to ask for information about securing your identity.

      https://krebsonsecurity.com/2013/09/crooks-hijack-retirement-funds-via-ssa-portal/
      Crooks Hijack Retirement Funds Via SSA Portal

      “Meanwhile, some banks with customers that have been burned by fraudulently diverted SSA payments are beginning to back away from managing SSA account payment changes for customers, Maher said. Increasingly, those banks are directing customers to make such changes at their local SSA office or at the SSA’s new portal. Maher said that’s because the government recently instituted a process for reclaiming funds that are fraudulently transferred to accounts that were not authorized by the beneficiary.”

      https://krebsonsecurity.com/2014/04/states-spike-in-tax-fraud-against-doctors/

      You can search for more articles in search engines with these phrases :

      Social Security site:krebsonsecurity.com
      Medicare site:krebsonsecurity.com

  19. There are a number of U2F and UAF certified providers. The tech provides certificate based second factor authentication.
    OTP’s, either via SMS, voice call or authenticators are not Out of Band, which means that they can still be harvested during Man in the middle attack. And of ofcourse we know they are also subject to various standard malware kits.

    So U2F is a definate step forward. It’s still not the end game yet. Would be even better if you could confirm the details of the transaction on the second factor /something you have device’s display. A number of providers offer such MFA solutions on your mobile phone (so not another device to carry around).

    [Disclosure: I work for one of those mobile MFA security providers that are on the certified list, called Entersekt.. Even if you don’t use our stuff, plesse just switch on MFA for al your cloud providers.]

  20. I called Wells Fargo to see if they have 2-factor login options. The person on the line assured me of all the safeguards their website offers. But, I said, all that’s required is username and password.

    I was then directed to an “expert” who wanted me to pay $12.99/month for ID protection.

  21. I use an iPod Touch to run Google Authenticator and Authy and it works well. So you do not need a smartphone to do 2FA with Google if you do not want to use this new U2F.

  22. Krebs: I find it remarkable that Google, Apple and other major tech companies continue to offer more secure and robust authentication options than are currently available to consumers by their financial institutions.

    You need to insert the word US here, people in other countries have been using two factor authentication for almost two decades.

    • I’ve seen some countries deployed 2fa, and I wasn’t impressed.

      Finland especially mostly relied on a printed card.
      If you took the card out in public, you basically gave away all of your secrets to anyone in the room (including all cameras).

      There are only a few kinds of 2fa out there:
      1. pre shared values (Google issues these as backup numbers, the paper/plastic cards from banks fall in this category)
      2. token generators (the subject of this article)
      3. out-of-band notices (SMS, voice calls)
      4. PKI certificate devices

      The first kind is subject to the flaw I describe. The version Google uses is a text file, and you can safely split its 10 numbers into individual strips — which means it shouldn’t be at risk. The bank version because of jumping “security” behaviors means that you will almost certainly be searching the whole card for the answer — while someone else is capturing the contents of the entire card.

      The second is what is described in this article. There might be some countries which use this model. I’m not aware of any.

      The third is used in some European countries and is vulnerable to MITM and Malory-at-the-endpoint. http://www.scmagazineuk.com/34-european-banks-hit-by-android-app-security-attacks/article/362424/

      The fourth is used by some countries (a number in Europe, as well as South Korea). Current news on this: http://www.theregister.co.uk/2014/10/14/south_korea_national_identity_system_hacked/

      I have instances of 1 (from Google) and from a European bank.
      I have instances of 2 (from RSA via various employers).
      I have instances of 3 (from Twitter, Facebook, Google, and a number of other providers).
      I have an instance of 4 from a European country.

      On that last one, it involves you setting a password and carrying around an ID which is the PKI card. I lost the password shortly after applying for the card (actually, I had the same problem w/ items from 2 which required passwords to supplement their tokens). This is more or less the problem that the US banks encountered when they tried to deploy 2fa: If a user doesn’t use something regularly, the user will lose it. It doesn’t matter if it’s physical, virtual, or memetic — anything you have and don’t use, you will lose. And if you don’t lose it, 9 out of 10 people who are more average than you are will.

      • William Hugh Murray

        We MUST NOT allow the perfect to be the enemy of the good. Please apply all your arguments to UID and passwords before you apply them to stronger solutions. Strong Authentication does not provide perfect security. One still needs out of band transaction confirmation, usage based controls, and multi-party controls. Even these are not perfect but they are efficient.

  23. When is someone out there going to re-do USB from the ground up so it’s secure?
    And I agree that if P-256 is in use, it’s been said the gov’t purposefully picks things it knows the math backdoors to breaking, so between the gov’t and google I would trust this one either if trust needed to include no gov’t snooping.
    And I agree and am aggravated with banks and bill pay sites that don’t even use basic 2fA of any sort, and some sadly still have a max password length of 8!

    • William Hugh Murray

      That is an over-constrained problem. USB stands for UNIVERSAL serial BUS. When one understands that, one understands why security must be supplied by higher layers.

  24. Only after I placed my order for a U2F device did I see a page from Google that restricts the use of such a device to Chrome v38 or later. I have v31, and when I check for updates, I’m told I have the latest version.

    Oops.

  25. There’s allot of options out there. But most large retail systems have been trending toward using something like Trusteer in the background with in the online app to monitor for and possible clean malware from customer’s PCs. I think most of the large retail FI’s are using Trusteer in their consumer online apps. 2factor is great as are tokens, digital certs etc etc. But they are a PIA to manage and maintain across the entire user base. Some of the most harden stuff goes toward large commercial and business systems where the dollar losses have been and continue to be significant. The CFPB guards consumer accounts with avengence ask any banker. So taking a financial loss as a consumer is much less a possibility than a business of any size. Multifactor, Biometrics, Hardware Tokens, Secure Browsers/USB Sticks and Live CD are all yesterday’s technology in the commercial space. Nothing beats a live call back to a predesignated number and talking to live “previously authorized”person for confirmation. That’s why the card networks still do it with all the neural network horse power they have..

  26. What I find interesting is the total silence coming from Mozilla. Google and Microsoft are already involved. And if you look at the organizations that are members of the FIDO Alliance, there is an impressive list of banks and technology companies. But no word from Mozilla..

  27. So no 2-step security key for Mobile, I love new standard that relies on USB !!! I think the U2F standard is a joke designed by Google and Yubikey to sell more hardware. As a reminder, Today in 2014 access google accounts on their phone or tablet which (as a reminder) don’t have USB port.

  28. Being a Lastpass fanatic, I would recommend NOT getting this model of FIDO YubiKey.

    The one you should get needs to support LastPass AND Google, so look at the NEO and NEO-N for more $$ but save you the hassle of having 2 fobs.

  29. How vulnerable is this USB key to the recently announced USB hack?

    • I don’t know, but I would not plug it into any USB daisy chains or USB hubs. Only into a socket soldered to the motherboard.

  30. Some banks do offer 2-factor authentication, but only for their business customers. At Citibank I was given a token to generates a different encrypted number I enter along with my ID and password to get access to my online account.