July 23, 2018

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity.

A YubiKey Security Key made by Yubico. The basic model featured here retails for $20.

Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device).

A Google spokesperson said Security Keys now form the basis of all account access at Google.

“We have had no reported or confirmed account takeovers since implementing security keys at Google,” the spokesperson said. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”

The basic idea behind two-factor authentication is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor.

The most common forms of 2FA require the user to supplement a password with a one-time code sent to their mobile device via text message or an app. Indeed, prior to 2017 Google employees also relied on one-time codes generated by a mobile app — Google Authenticator.

In contrast, a Security Key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers.

Once a device is enrolled for a specific Web site that supports Security Keys, the user no longer needs to enter their password at that site (unless they try to access the same account from a different device, in which case it will ask the user to insert their key).

U2F is an emerging open source authentication standard, and as such only a handful of high-profile sites currently support it, including Dropbox, Facebook, Github (and of course Google’s various services). Most major password managers also now support U2F, including Dashlane, and Keepass. Duo Security [full disclosure: an advertiser on this site] also can be set up to work with U2F.

With any luck, more sites soon will begin incorporating the Web Authentication API — also known as “WebAuthn” — a standard put forth by the World Wide Web Consortium in collaboration with the FIDO Alliance. The beauty of WebAuthn is that it eliminates the need for users to constantly type in their passwords, which negates the threat from common password-stealing methods like phishing and man-in-the-middle attacks.

Currently, U2F is supported by Chrome, Mozilla Firefox, and Opera. In both Firefox and Quantum (the newer, faster version of Firefox), U2F is not enabled by default. To turn it on, type “about:config” in the browser bar, type or paste “security.webauth.u2f” and double-click the resulting entry to change the preference’s value from “false” to “true.”

Microsoft says it expects to roll out updates to its flagship Edge browser to support U2F later this year. According to a recent article at 9to5Mac.com, Apple has not yet said when or if it will support the standard in its Safari browser.

Probably the most popular maker of Security Keys is Yubico, which sells a basic U2F key for $20 (it offers regular USB versions as well as those made for devices that require USB-C connections, such as Apple’s newer Mac OS systems). Yubikey also sells more expensive U2F keys designed to work with mobile devices.

If a site you frequent does not yet support WebAuthn, please consider hardening your login with another form of 2FA. Hundreds of sites now support multi-factor authentication. 2fa.directory maintains probably the most comprehensive list of which sites support 2FA, indexing each by type of site (email, gaming, finance, etc) and the type of 2FA offered (SMS, phone call, software token, etc.).

In general, using SMS and automated phone calls to receive a one-time token is less secure than relying on a software token app like Google Authenticator or Authy. That’s because thieves can intercept that one-time code by tricking your mobile provider into either swapping your mobile device’s SIM card or “porting” your mobile number to a different device. However, if the only 2FA options offered by a site you frequent are SMS and/or phone calls, it is still better than simply relying on a password.

While we’re on the subject of multi-factor authentication, I should note that Google now offers an extra set of security measures for all of its properties called Advanced Protection. Exactly how Google’s Advanced Protection works (and the trade-offs involved in turning it on) will likely be the subject of another story here, but Wired.com recently published a decent rundown about it. Incidentally, this article includes a step-by-step guide on how to incorporate Security Keys into Advanced Protection.

I have been using Advanced Protection for several months now without any major issues, although it did take me a few tries to get it set up correctly. One frustrating aspect of having it turned on is that it does not allow one to use third-party email applications like Mozilla’s Thunderbird or Outlook. I found this frustrating because as far as I can tell there is no integrated solution in Gmail for PGP/OpenGPG email message encryption, and some readers prefer to share news tips this way. Previously, I had used Thunderbird along with a plugin called Enigmail to do that.

Update, 4:09 p.m. ET: An earlier version of this story incorrectly stated that password manager LastPass supports U2F with Yubikeys. Several readers commented that LastPass in fact does not support U2F, despite literature on the company’s site that seems to suggest otherwise. I checked with the company, and they confirmed that only Yubikey plus a one-time password (OTP) will work with LastPass for now. From their statement:

“Although supported by some large organizations, including Google and Github, U2F still doesn’t have widespread support among web sites. Although we have been following its progress since it was first announced, LastPass does not support U2F at this time. Only Yubikey with OTP will work with LastPass right now. However, since Yubikey added U2F to their keys, they have a dual OTP+U2F mode, which is the default. The chip on the key can tell whether the computer is asking for the OTP or U2F, and to send the right response.”


187 thoughts on “Google: Security Keys Neutralized Employee Phishing

  1. Greg Cope

    Have you tried mailvelope for GPG in gmail?

  2. drake

    A physical security key will also serve very nicely as a digital fingerprint, identifying the individual wherever they go. Nice stealth Internet Drivers License they are shoving at us. They have wanted this form the beginning. I guess 911 has a VERY long tail. Sicherheit uber alles.

  3. Emil Lundberg

    @drake
    Nope, U2F keys do not work as a digital fingerprint you can be tracked by. Both the U2F and WebAuthn standards are explicitly designed to prevent exactly that. A new key pair is created for each site you use the security key on, and the key pairs for two different sites are not correlatable.

    1. Jeff G

      For me, Better The Devil You Know Than The Devil You Don’t.

      Love me some Google devilishness!

  4. Glhussong

    It seems to be the item I am looking for.
    However, I’m unable to locate ordering
    information. I have a visual defect and
    that may account for missing the info
    needed.

  5. Jeff G

    I see that you can buy Yubikeys on Amazon … I also see that they are being sold as used devices at a discount.

    I’m guessing that buying a security device like this used is OK as long as it’s not a knock-off, but I can also think of ways that this might not be a great idea.

    How easy is it to clone such a device?

    Thoughts?

  6. Anon Coward

    I love the misdirection. FIDO pushes the attacker from phishing to malware or bypass or some other vector that FIDO fails to address, and (no surprise) that google doesn’t disclose to us.

    You need to get rid of the bad guys, not just move them to a different attack vector!. Security needs a UX faster, easier, and more convenient than anything people have or use now (or else nobody will use it!). It needs to defend the true breadth of modern threats, with nothing whatsoever out of scope, it needs to address side-channels and tricky bits, like enrollment, loss-handling, social-engineering, friendly-frauds, etc. It needs to work everywhere people need it, which includes over the telephone during calls, as well as in-person. It needs to be globally affordable, privacy respectful, self-service (support free), and to interface with everything people need it for (IoT, no-screen devices, remote equipment, etc) without introducing new risks (e.g. USB/wireless infection/theft vectors).

    Security Keys do none of that.

    1. BrianKrebs Post author

      You’re right, of course. This doesn’t solve all attack vectors. Does that make it not worth doing?

      Every time I write one of these stories that includes tips on how to lessen the risk from a particular type of attack, we get a flurry of comments from people suggesting the precaution that is the subject of the story won’t stop all attacks. My point is these types of comments only serve to discourage people from taking more responsibility for their own security.

      1. Joseph Vannucci

        On a related note. I can get shot by a pistol through my front window and the airbags are doing nothing to stop it. I’m throwing out these airbags – expensive safety theatre!

  7. Chris

    LOL – remember who else used these gadgets? Mt.Gox. How well did it protect them?

  8. User

    Can you explain how the key is more secure than a physical token or mobile token+pin? I understand the risk of the sms based 2 factor, but wouldnt the physical token or software token provide the same level of security?

    I see a huge difference between saying “eliminated phishing” or “successfully phished” vs “confirmed account takeovers”. Along these same lines any form of 2fa should yield the same results of preventing account takeovers vs stopping/preventing/eliminating phishing as I’ve seen stated in other articles.

    1. Nick Goede

      You can phish the codes generated by a token generator if the user has to type it in. With these tokens the user never has access to the code so they can’t give it to an attacker.

    2. user

      RE: “Can you explain how the key is more secure than a physical token or mobile token+pin?”

      RE:”mobile phones”
      All software has issues. Mobile phones are known to have their own attack vectors. Apple forces updates ( to a point ) , Android ( doesn’t ), other “smart phone makers” ????

      Thinking of them as “secure” is not only foolish, but dangerous.

      RE:”+pin”
      If a human can “make a mistake” then it will happen.
      Maybe they could “use the same pin” for something else? ( like their ATM card? The lock on their bike? part of their phone number? part of their national ID ? )

      If a physical thing is needed to “get the magic to happen” and that thing only “outputs data” then it is a much harder task to reproduce what that thing would do.

      Still not completely impossible, but MUCH, MUCH harder to do. To understand that risk you need to get into some serious math that is the foundation for crypto. And I will take those odds or trusting people to do “the right thing all of the time”.

  9. user

    an interesting and timely post

    REF: https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/

    “Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”

  10. JOHN H MITCHELL

    You may want to update this with the recent SMS attack on Reddit(?).

  11. Bill

    What happens if someone loses this device? I would not want the mere possession of the token to allow entry.

    Wouldn’t possession of this token PLUS entering a password be a better security model?

Comments are closed.