July 23, 2018

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity.

A YubiKey Security Key made by Yubico. The basic model featured here retails for $20.

Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device).

A Google spokesperson said Security Keys now form the basis of all account access at Google.

“We have had no reported or confirmed account takeovers since implementing security keys at Google,” the spokesperson said. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”

The basic idea behind two-factor authentication is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor.

The most common forms of 2FA require the user to supplement a password with a one-time code sent to their mobile device via text message or an app. Indeed, prior to 2017 Google employees also relied on one-time codes generated by a mobile app — Google Authenticator.

In contrast, a Security Key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers.

Once a device is enrolled for a specific Web site that supports Security Keys, the user no longer needs to enter their password at that site (unless they try to access the same account from a different device, in which case it will ask the user to insert their key).

U2F is an emerging open source authentication standard, and as such only a handful of high-profile sites currently support it, including Dropbox, Facebook, Github (and of course Google’s various services). Most major password managers also now support U2F, including Dashlane, and Keepass. Duo Security [full disclosure: an advertiser on this site] also can be set up to work with U2F.

With any luck, more sites soon will begin incorporating the Web Authentication API — also known as “WebAuthn” — a standard put forth by the World Wide Web Consortium in collaboration with the FIDO Alliance. The beauty of WebAuthn is that it eliminates the need for users to constantly type in their passwords, which negates the threat from common password-stealing methods like phishing and man-in-the-middle attacks.

Currently, U2F is supported by Chrome, Mozilla Firefox, and Opera. In both Firefox and Quantum (the newer, faster version of Firefox), U2F is not enabled by default. To turn it on, type “about:config” in the browser bar, type or paste “security.webauth.u2f” and double-click the resulting entry to change the preference’s value from “false” to “true.”

Microsoft says it expects to roll out updates to its flagship Edge browser to support U2F later this year. According to a recent article at 9to5Mac.com, Apple has not yet said when or if it will support the standard in its Safari browser.

Probably the most popular maker of Security Keys is Yubico, which sells a basic U2F key for $20 (it offers regular USB versions as well as those made for devices that require USB-C connections, such as Apple’s newer Mac OS systems). Yubikey also sells more expensive U2F keys designed to work with mobile devices.

If a site you frequent does not yet support WebAuthn, please consider hardening your login with another form of 2FA. Hundreds of sites now support multi-factor authentication. 2fa.directory maintains probably the most comprehensive list of which sites support 2FA, indexing each by type of site (email, gaming, finance, etc) and the type of 2FA offered (SMS, phone call, software token, etc.).

In general, using SMS and automated phone calls to receive a one-time token is less secure than relying on a software token app like Google Authenticator or Authy. That’s because thieves can intercept that one-time code by tricking your mobile provider into either swapping your mobile device’s SIM card or “porting” your mobile number to a different device. However, if the only 2FA options offered by a site you frequent are SMS and/or phone calls, it is still better than simply relying on a password.

While we’re on the subject of multi-factor authentication, I should note that Google now offers an extra set of security measures for all of its properties called Advanced Protection. Exactly how Google’s Advanced Protection works (and the trade-offs involved in turning it on) will likely be the subject of another story here, but Wired.com recently published a decent rundown about it. Incidentally, this article includes a step-by-step guide on how to incorporate Security Keys into Advanced Protection.

I have been using Advanced Protection for several months now without any major issues, although it did take me a few tries to get it set up correctly. One frustrating aspect of having it turned on is that it does not allow one to use third-party email applications like Mozilla’s Thunderbird or Outlook. I found this frustrating because as far as I can tell there is no integrated solution in Gmail for PGP/OpenGPG email message encryption, and some readers prefer to share news tips this way. Previously, I had used Thunderbird along with a plugin called Enigmail to do that.

Update, 4:09 p.m. ET: An earlier version of this story incorrectly stated that password manager LastPass supports U2F with Yubikeys. Several readers commented that LastPass in fact does not support U2F, despite literature on the company’s site that seems to suggest otherwise. I checked with the company, and they confirmed that only Yubikey plus a one-time password (OTP) will work with LastPass for now. From their statement:

“Although supported by some large organizations, including Google and Github, U2F still doesn’t have widespread support among web sites. Although we have been following its progress since it was first announced, LastPass does not support U2F at this time. Only Yubikey with OTP will work with LastPass right now. However, since Yubikey added U2F to their keys, they have a dual OTP+U2F mode, which is the default. The chip on the key can tell whether the computer is asking for the OTP or U2F, and to send the right response.”


187 thoughts on “Google: Security Keys Neutralized Employee Phishing

  1. Ray

    U2F is great, but how are people making it work w/ mobile devices? Skipping the requirement for a USB oriented key and relying on password plus bio (something you know and are)?

    1. Aaron

      Yubico makes a key that uses NFC to pass authentication.

    2. qfan

      There is an NFC version of U2F physical token.

      Later on, phone manufacturer can choose to also implement a virtual I2F device based on existing biometric device.

    3. Ben Kinder

      Hi Ray, the Yubikey Neo supports NFC communication so that it can be used as a physical second factor with Android. This is supported on iOS as well but the only app I know of to support it on iOS is LastPass.

      If you buy a lightning to female USB adapter you can also plug the Yubikey 4 of Yubikey Neo into your iOS device and have it act as a keyboard. When you tap the gold button on the Yubikey it will type a one time password into whatever text field you have selected.

      Here’s a demo of the NFC functionality: https://youtu.be/e2jAJhNOfdY

      1. qfan

        When working as keyboard, Yubico device being used as YubicoOTP, which is NOT as secure as standard U2F.

        Phishers can steal the OTP and use it before the real user use the next OTP online.

        U2F on the other hand, cannot be used by phishers.

        1. Marco

          Not quite: it’s a time-sensitive OTP, so the attackers have at most 60 secs to use it. Granted, v an automated phishing UI could do that (turn around and use the OTP), but this problem is common to *all* crypto-based OTP.

        2. thoromyr

          LastPass is okay for what it is, but I stopped using it earlier this year when I discovered that using their app to make my phone a second factor was discretionary not mandatory: I tried to unlock LastPass and discovered I’d forgotten my phone at home — the “unlock” failed, but still successfully retrieved the password.

          In other words, all that was needed to decrypt was the password, but they pretend in the UI that it fails when flagged for 2FA.

          Doing this right is tricky and their eyes are on how they can make money, not getting their cryptography implementations correct. Sad to say, I don’t think there is anyone else in the space who does any better.

          For someone in the Apple ecosystem with a new enough iDevice there’s reasonably good hardware (the iPhone’s secure enclave is actually fairly secure — though not perfect — unlike the android implementations) so using the Apple keychain is *possibly* more secure.

          But… it throws me when one iDevice asks for the passcode of a *different* iDevice to prove my identity. It seems a sketchy way to do proofing and escalating through their support got nowhere. Front line support tried to be helpful, but apparently this is an area where Apple believes in “obscurity before security”.

          1. Mark

            Sounds like you had the “Permit Offline Access” option enabled. The interface warns “Controls whether access to your vault will be allowed when not connected to the Internet. Allowing access to your vault when offline is slightly less secure since one time passwords can not be validated.” That sounds like what you’re talking about happened.

      2. Ray

        Thanks, all. Those look like good options. Have any of you found success in adopting with your user bases at scale (hundreds or thousands of people)?

        The PC UX story to me is excellent (the U2F experience is better than the TOTP mobile app based MFA experience, IMO).

  2. Jim Smallwood

    Early coffee over a very informative work.

  3. Jack Smith

    The Pixel Book as one built into the power button. Other PC makers need to follow the Google lead.

    1. Mike Schwartz

      It’s not enabled by default. I think you need to be in “Developer Mode” also… which is not for everyone. Then go to the Chrome Shell (with Ctrl + Alt + T) and type the following command: u2f_flags g2f

      I tested it with the Gluu Server, and with Google–both are working. It’s really a cool feature, but probably only for geeks.

  4. DavidD

    This looks like a good solution for the new PCI DSS requirement for MFA. MFA has always been required for remote privileged access into the digital payment card data environment, but starting this year all, and not just remote privileged access must be authenticated with it.

  5. Steve

    Does google still mandate that a phone be connected to an account before allowing U2F?

    I own multiple U2F devices, but will NOT give google my real name nor a phone number just to have U2F.

    Github had the same policy.
    They need to correct this.

    1. BrianKrebs Post author

      I believe that Google does phone verification as a prerequisite for setting up all new Gmail accounts, as do many other email providers as a means of thwarting spammers who try to auto-register accounts or mass register them for resale to scammers and spammers.

      https://krebsonsecurity.com/2011/07/how-to-buy-friends-and-deceive-people/
      https://krebsonsecurity.com/2013/08/buying-battles-in-the-war-on-twitter-spam/

      In addition, I believe a phone number is required as a prerequisite to setting up 2FA in Gmail (someone please correct me if I am mistaken here).

      1. h.

        That’s exactly why I haven’t set up 2FA on Twitter yet. I want to remain anonymous there. I’m sure it’s because of advertising. I’m using 2FA with Google Authenticator wherever I can and it’s very good until you need to change your iPhone. Restoring an encrypted backup is not enough; you have to manually re-enter dozens sites from your backup codes that you hopefully still have somewhere. Google Authenticator 2FA doesn’t prevent you from getting phished, but I assume the phishers are currently still too lazy to implement 2FA phishing as long as there are easier targets. I avoid SMS 2FA wherever I can, because I have no mobile reception in my underground office and when on vacation in another country it won’t work either (different SIM/number). U2F FIDO sounds good, but it’s still in it’s infancy with missing support in IE/Edge/Safari and limited mobile support.

    2. Google

      Don’t worry, we have your name. It’s part of BIG DATA! Also, public information with your vehicle registration and your Home address.

  6. qfan

    I thought LastPass only supported yubico’s phishable proprietary OTP, not the generic anti-phishing U2F ?

    1. BrianKrebs Post author

      There is a link in the story to LastPass’ process. Each provider has hyperlinked instructions in the story.

      1. qfan

        Trying again with faq id pasted… ( https://lastpass.com/support.php?cmd=showfaq&id=8126 )

        LastPass supports YubiKey device, but it only uses the OTP feature, not the U2F. Their website is very misleading because it says “YubiKey supports U2F”, but this is a multi-feature device and LastPass itself does NOT support U2F.

        Many websites and articles therefore list LastPass as “Support U2F”, which is false.

  7. Steve Connolly

    USB based security key, interesting for most folks except those at a company that was epoxying all the USB ports on their Computers. Saw the article maybe 2 years ago about that, don’t recall that the article actually mentioned the firm by name.

  8. Joe Ovez

    Touch to auth is also the part that Google ignores for some strange reason. Their high security Gmail program defaults to remembering the device! There isn’t a way to disable it either.

    1. Anon Coward from PA

      @Joe Ovez:

      On Chromebooks, there is an option to not remember the YubiKey authentication in the login dialog. The key will be required on startup and following any login to GMail.

  9. Quick

    It’s only a matter of time until someone figures out how to hack that login method. It could be as simple as learning the algorithmim to those keys and sending that information indirectly to the USB port and saying there is something present when there is nothing there. Very similar to when your USB port says something is still connected even after it’s been disconnected for 10mins.

    1. Ben

      Wrong. U2F is an open standard. That means the algorithm is not secret, it’s published for all to see. There is probably even reference code out there somewhere. Learning the algorithm cannot help anyone trying to “hack that login method.” The algorithm depends on a secret number, generated at random, which never leaves the device. Without the secret number there is no way to fake the correct responses from the USB device.

      1. How So

        And if they use a deterministic random number generator on the device? Not that this development isn’t a good thing, but Google is very likely not using these as a master key. Very likely they tell employees to single task/responsibility these keys.

  10. josePh

    o))) 4️⃣☠️ so yeah WAY TO GO YUBIKEY your protecting my account and my G/\c0De Power Website

    o))) 4️⃣☠️ awsome i knew you wouldn’t let me down

  11. Steve

    What happens if I lose my U2F physical key? Am I locked out of my accounts?

    1. timeless

      Google advanced protection requires you to set up two keys. You also can set up rescue things. There are other recovery mechanisms, but they’re intentionally slow (measured in days).

  12. Joel

    As per the site you linked, keepass does not support u2f as stated on this page but OATH-HOTP which is opposed to U2F not a challenge response method but a shared secret method (and thus a completely different cup of tea). Just saying.

    1. qfan

      Too many security articles list password managers as “Support U2F” while many of them only supported some non-U2F features on some many-in-1 devices like the expensive version of Yubikey.

  13. Julián

    Check Mailvelope (www.mailvelope.com) for a free, open source solution that integrates PGP into Gmail in an almost seamless way. We use it a lot at the company I work for.

  14. Michael

    We use FlowCrypt (akaCryptUp) with Gmail for what seems to be an easy to use PGP email integration…has Chrome browser plug in and an app for mobile device. Would be interested in the thoughts of you and the community vs. the product mentioned above…mailvelope.com.

    Pros…Cons…Suggestions

  15. Paul

    My question is how is this considered “multi-factor” authentication if all the user needs to authenticate themselves is possession of the hardware key? What are the multiple factors? Yubikey even makes the nano key that is designed to pretty much always stay in the USB port, so at that point it is basically a hardware log-in button. Doesn’t seem very secure to me without the second factor (something you know / a password). Am I missing something?

    1. Brad

      You still have to know a password. The hardware token creates a one-time user id that they system recognizes along with your password. However, you can make the password much simpler as you can’t create the one time code without the hardware token.

      Hope this helps.

    2. Reader

      You’re not missing anything.

      I’ve been around offices with people using these things. Literally every person just leaves their key plugged in all day long.

      I’ve seen keys plugged in after-hours, too. Inquiring why, I’ve been told, “if I take it home and lose it, I’ll have to pay HR $40 for a new one,” or IT writes them up, or whatever.

      No one seems to care about leaving security keys out for the cleaning staff or rent-a-cops to find.

      They’d be better off using the ID badge, with an RFID tap-to-enter-a-password thing, and a retractable cord. Cheaper and practically indestructible.

  16. Eric Jutras

    Hi Brian,

    We use the Mailvelope chrome extension to encrypt/decrypt emails with PGP…

  17. Dan

    They can verify only company issued device can log in by checking cpu, motherboard, video card, NIC card. . serial number. Also, this device has been locked down so disgruntled employee can’t steal any corporation data or lunch virus program. Hackers can never break in.

  18. ricardoRI

    What am I missing? Someone loses their key, how do they recover? They can’t even log into their email account to get their info. If the the key is stolen, don’t the thieves have complete access?

    What are the multiple factors if no password and no biometric?

    1. Anon Coward from PA

      @ricardRI:

      Q: What are the multiple factors if no password and no biometric?
      A: You need a User Name, Password, a YubiKey inserted into a USB port and a physical touch while the key blinks. There’s a low-profile key available that people leave in their machines all the time, but you must touch it to authenticate.

      Q: If the the key is stolen, don’t the thieves have complete access?
      A: No, the thief needs your password.

      Q: Someone loses their key, how do they recover?
      A: Purchase and register two or three physical keys on each account. Keys don’t need to be from the same vendor. One key can be registered with many Google accounts.

      There may be other ways to recover but the second key seems like the most straightforward option.

  19. Paul W.

    I would have thought with recent developments and attacks against integrated PGP/GPG that you would stay away from fully integrated PGP tools for email clients.

  20. Bryce

    Mr. Krebs seems to be making an assumption or conflating account takeover with phishing. The quote from Google says they have had no account takeovers. Great. However, there is NOT a quote from Google in the article stating they had no successful phishing attacks. Account takeovers (stealing credentials) are a sub-set of the universe of bad outcomes from phishing; examples of other types of negative outcomes from phishing are malware being installed or the recipient being duped into sending back confidential information, such as the payroll information scam. I’d like clarification on this point.

    1. BrianKrebs Post author

      That may be what their quote says, but I’ve had extensive background conversations with Google about this and they definitely said this has stopped successful phishing attacks.

  21. John

    I like the idea of the YubiKey Security Key, but it won’t work for me, even though the $20 price is attractive. If I want something that will work for both mobile and desktop, the YubiKey Neo (x two or three units as backups) looks better, as it works both with USB and Near Field, and supports FIDO U2F (and One-Time Password for supported sites). The downside is the $50 cost instead of the Security Key’s $20. If I only did laptop email then the Security Key would be the right move.

  22. Mike Schwartz

    I have been advocating for FIDO U2F tokens for a long time… years. Other then smart cards with mutual TLS, USB hardware tokens are the only authentication technology that protects the access channel, thus protecting your from MITM attacks (where phishing emails are the most common way they are initiated). Note: OTP and mobile push notifications will not protect you from MITM attacks–that’s a really big deal.

    If your organizations wants to use FIDO U2F security keys, just like Google, it’s also very easy to deploy–and deployment complexity (i.e. cost) is the biggest hurdle to adoption. To enable U2F authentication in the Gluu Server, you can literally just check a box. Gluu also offers an application called “Credential Manager”, which is a one page user facing web application that enables users to enroll (and delete!) FIDO security keys. For more info on Cred Manager and the Gluu Server, see the docs: https://gluu.org/docs

  23. John

    I may be missing the point but using a key to prevent someone hacking an email is great I use one myself. However once an email is opened and it’s clicked on that key doesn’t prevent anything from going wrong it’s just a tool for signing in. I believe the story is inaccurate.

    1. Mikey Doesn't Like It

      John, the article isn’t misleading — it simply focuses on (as you note) the process of signing in. Sure, there are plenty of other vulnerabilities in email… but securing the sign-on process alone prevents many back doors from ever being opened. Which, of course, reduces one of the main entry points for wreaking havoc with systems today.

  24. David

    What about companies that block USB ports either through registry/3rd party or I guess expoxy as stated above.

  25. Roger Grimes

    2FA options are definitely better than 1FA, but any 2FA/MFA option can be successfully hacked. I’ve been presenting the 12 Ways to Hack 2FA for a few weeks now. There is no such thing as unhackable. As 2FA and other physical methods become more popular, the hackers will respond, and what was once “hacked less” becomes hacked. With that said, anything beyond 1FA and passwords is substantially better. Right now the only downside is that there isn’t more support. We all need to get to 2FA/MFA and push our vendors to support it more often and better.

  26. Mike Z

    I’ve used both iris recognition, fingerprint recognition, google authenticator, Yubikey and SMS TxT to mobile as the 2nd factor in 2 factor. By far SMS TxT is the most convenient. Iris recognition is the most secure but expensive, and only for the most extreme applications.

    In terms of encryption PGP can lock down a laptop disk drive, or a file with a self decrypting archive. It is very easy to use.

    Digital certificates are a mess. Don’t even try to use them. 🙂

  27. appy

    brian:
    how about an article on how google prompt and yahoo account key may fit into all this? myself have never set those up and wondering if those are a good thing instead of just using passwords and 2FA codes.

    already using something for my credit union app where do touchid and then wait for push notification to then press to approve or deny. and then there is walmart pay where use touchid but not really have a multi factor yet it is just so easy to use with just the touchid. one particular store app with a multi factor is the cvs app with cvs pay where use touchid and then input an already set four digit code that you already made up. of course on these if don’t have touchid, then have to always type in your password. but the idea here is convenience using the touchid plus with hopefully an easy multi factor of some sort.

Comments are closed.