23
Jul 18

Google: Security Keys Neutralized Employee Phishing

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity.

A YubiKey Security Key made by Yubico. The basic model featured here retails for $20.

Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device).

A Google spokesperson said Security Keys now form the basis of all account access at Google.

“We have had no reported or confirmed account takeovers since implementing security keys at Google,” the spokesperson said. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”

The basic idea behind two-factor authentication is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor.

The most common forms of 2FA require the user to supplement a password with a one-time code sent to their mobile device via text message or an app. Indeed, prior to 2017 Google employees also relied on one-time codes generated by a mobile app — Google Authenticator.

In contrast, a Security Key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers.

Once a device is enrolled for a specific Web site that supports Security Keys, the user no longer needs to enter their password at that site (unless they try to access the same account from a different device, in which case it will ask the user to insert their key).

U2F is an emerging open source authentication standard, and as such only a handful of high-profile sites currently support it, including Dropbox, Facebook, Github (and of course Google’s various services). Most major password managers also now support U2F, including Dashlane, and Keepass. Duo Security [full disclosure: an advertiser on this site] also can be set up to work with U2F.

With any luck, more sites soon will begin incorporating the Web Authentication API — also known as “WebAuthn” — a standard put forth by the World Wide Web Consortium in collaboration with the FIDO Alliance. The beauty of WebAuthn is that it eliminates the need for users to constantly type in their passwords, which negates the threat from common password-stealing methods like phishing and man-in-the-middle attacks.

Currently, U2F is supported by Chrome, Mozilla Firefox, and Opera. In both Firefox and Quantum (the newer, faster version of Firefox), U2F is not enabled by default. To turn it on, type “about:config” in the browser bar, type or paste “security.webauth.u2f” and double-click the resulting entry to change the preference’s value from “false” to “true.”

Microsoft says it expects to roll out updates to its flagship Edge browser to support U2F later this year. According to a recent article at 9to5Mac.com, Apple has not yet said when or if it will support the standard in its Safari browser.

Probably the most popular maker of Security Keys is Yubico, which sells a basic U2F key for $20 (it offers regular USB versions as well as those made for devices that require USB-C connections, such as Apple’s newer Mac OS systems). Yubikey also sells more expensive U2F keys designed to work with mobile devices.

If a site you frequent does not yet support WebAuthn, please consider hardening your login with another form of 2FA. Hundreds of sites now support multi-factor authentication. Twofactorauth.org maintains probably the most comprehensive list of which sites support 2FA, indexing each by type of site (email, gaming, finance, etc) and the type of 2FA offered (SMS, phone call, software token, etc.).

In general, using SMS and automated phone calls to receive a one-time token is less secure than relying on a software token app like Google Authenticator or Authy. That’s because thieves can intercept that one-time code by tricking your mobile provider into either swapping your mobile device’s SIM card or “porting” your mobile number to a different device. However, if the only 2FA options offered by a site you frequent are SMS and/or phone calls, it is still better than simply relying on a password.

While we’re on the subject of multi-factor authentication, I should note that Google now offers an extra set of security measures for all of its properties called Advanced Protection. Exactly how Google’s Advanced Protection works (and the trade-offs involved in turning it on) will likely be the subject of another story here, but Wired.com recently published a decent rundown about it. Incidentally, this article includes a step-by-step guide on how to incorporate Security Keys into Advanced Protection.

I have been using Advanced Protection for several months now without any major issues, although it did take me a few tries to get it set up correctly. One frustrating aspect of having it turned on is that it does not allow one to use third-party email applications like Mozilla’s Thunderbird or Outlook. I found this frustrating because as far as I can tell there is no integrated solution in Gmail for PGP/OpenGPG email message encryption, and some readers prefer to share news tips this way. Previously, I had used Thunderbird along with a plugin called Enigmail to do that.

Update, 4:09 p.m. ET: An earlier version of this story incorrectly stated that password manager LastPass supports U2F with Yubikeys. Several readers commented that LastPass in fact does not support U2F, despite literature on the company’s site that seems to suggest otherwise. I checked with the company, and they confirmed that only Yubikey plus a one-time password (OTP) will work with LastPass for now. From their statement:

“Although supported by some large organizations, including Google and Github, U2F still doesn’t have widespread support among web sites. Although we have been following its progress since it was first announced, LastPass does not support U2F at this time. Only Yubikey with OTP will work with LastPass right now. However, since Yubikey added U2F to their keys, they have a dual OTP+U2F mode, which is the default. The chip on the key can tell whether the computer is asking for the OTP or U2F, and to send the right response.”

Tags: , , , , , , , , , , , , , , , , , , , , , ,

187 comments

  1. The Yubikey is kind of an old well known product, they developed it at least 6 years ago. I can see why it’s news know for anyone that knew 2FA.

    In the E.U. we have other options like government issued ID cards with a personal certificate embedded in an smart chip that supports NFC and smart readers.

    The US appears to be quite a laggard in high security 2FA authentication using secured external devices.

    • Null by Design

      we really are – and it’s not because we lack knowledge of them, I just haven’t seen anyone take them very seriously (for unknown reasons).

      Speaking of Yubikey – they now have a FIPS certified device… so now they even have one that people/orgs working with .gov sites can use…. because I worked at a company that was literally holding of because of that and instead relying on at 4 different forms of TFA that ranged from maybe decent to ‘updated a few years back.’

    • You’re confusing Yubico’s original OTP Yubikey product, which they designed on their own about 10-ish years ago, with the newer U2F design (which Google helped them create 4-ish years ago).

      The original Yubikey can be phished, since a one-time-password is still a password, and can be stolen just as easily as your “normal” password if used right away.

      The new Google one can’t be phished: Chrome connects directly to the USB hardware to generate the cryptographic response. So only the chrome browser session directly connected to the USB device can authenticate…. which is why you need browser support (why it doesn’t work with Safari, for example).

      It’s a solid protocol, though. It pretty much “solves” phishing in terms of credential stealing, even against highly-skilled nation-state-level attackers. So it’s about time the other browsers got around to supporting it.

    • > we have other options like government issued ID cards

      Many Americans have a deep distrust of anything “goverment issued”.

      • Like a government issued state driver’s license, federal government passport, federal government social security card, Medicare card….

        Get my point.

    • The only problem with FIDO U2F is lagging server-side (web framework) support that hinders adoption. Larger companies such as Google, GitHub, Facebook and Dropbox, which all support U2F, probably have the resources to maintain their own implementations.

      From an end-user perspective, using them is a breeze.

      • RSA’s SecurID Access works with FIDO U2F tokens and provides a number of integration options for enabling U2F on SaaS, Cloud, and on-prem enterprise web apps.

        • Bob is correct in that Yubico has not solved all of the issues eve with Googles help. This is an okay solution but far from perfect.

          The suggestion that RSA’s Secure ID is an equal option is a bit off base. Secure ID is not very secure at all and has been breached a number of times. Hackers break RSA tools frequently because they can.

          The debate regarding hardware keys being broken is understandable but unfortunately, as we would all love to think they are infallible I have watched as they were hacked at Blackhat in real time. It won’t happen often or to your average user but if someone is really looking to steal corporate IP of state secrets they can.

          • Joy, I think you misunderstood my comment. My statement is in reply to Antti N.’s comment about a lack of server-side support for FIDO U2F. This is particularly true in the enterprise. I use the RSA solution to FIDO enable web and SaaS apps that lack native FIDO support. I am using industry-standard FIDO tokens (mostly Yubikeys), not SecurID OTP tokens.

            I’m not suggesting one token over the other, each have their place. I question the practicality of much of what is demonstrated at Blackhat, but I agree with you that no solution is infallible.

          • Interesting point. RSA the company has been breached in 2011 with an APT and social engineering, like a lot of companies have been before and after, but the product has not been hacked.
            See https://www.csoonline.com/article/2129794/data-protection/lessons-from-the-rsa-breach.html

            Another interesting point is that the BlackHat SOC is actually protected with RSA’s SecurID Access on the Palto Alto Networks NGF.

    • Robert Morgan

      So, after your kidnappers extract your password under duress, all they need is that card you have and they get access to everything, how convenient for them.
      Biometrics, you say? So I don’t even need ‘you’, I just need your removed eye or finger, even better! Why not a primary and secondary password, so you have to be alive and willing to hand everything over?

  2. Richard Raborn

    Hax to use similar device just to see patients daily in medical practice. One patient told me they only used such device when they wired over $1 million overseas

  3. Everyone once in awhile I look into buying keys for personal use but the problems I’ve read about make them about a fifty deal in terms of being problem free.

  4. One federal government organization with which I am familiar requires its people (at least those in management and other critical positions) to use both a security key and the person’s badge to use the laptop issued by the organization. Both the key and the badge must remain inserted while using the laptop.

    • The federal government, the military, and Google all have the same thing in common, they control the devices, the people, and the servers, and can order people to take the necessary steps to stay secure. That makes this news a lot less impressive than it sounds, if you control the entire environment and the people in it then then you had damn well better be able to make it secure.

      If the story was “Google Stops Mom and Pop from Getting Phished”, then it’d be something.

      • Robert Morgan

        Take it all the way…if the government and Google developed it, it’s useless to us.
        There is zero chance they would not backdoor it.

      • Agreed, this is not news… seems to be more of a product advertisement for an upcoming Alphabet product. The slowest tortoise in the INFOSEC race (i.e. the US Government) deployed 2FA on hardware tokens 13 years ago… four years after Sun Microsystems.
        For the tinfoil hat wearers out there, the crypto processors on them weren’t developed by the USG, either. Commercial companies like Oberthur, Gemalto, SCM, etc. and designed to use standards-based x.509 certs and OTP technologies.
        Widespread adoption of 2FA is still a great thing that reduces the inherent weaknesses of the human factor, but it still does nothing for userspace malware or OS privilege-escalating exploits.

        • Edit:
          I had no firsthand knowledge Google was going to start selling their own U2F key when I wrote yesterday’s comment. The whole original writeup seemed a bit phishy (pun intended), and looks like my instinct was dead on… https://www.cyberscoop.com/google-titan-security-key-2fa-anti-phishing/

          • What was phishy about it? As I said on Twitter to someone who insinuated this was timed to Google’s announcement about its own key…Google told me about the lack of successful phishing attacks against its employees almost two months ago. I sat on this story until this week because I had bigger stories to chase. But go ahead and read into what you want.

    • The requirement for card/token-plus-password access is hardly limited to ‘one government agency.’ It is a government-wide mandate arising from HSPD-12 in 2004, although funding limitations have delayed full implementations by some agencies. The PIV cards generally control access to both computers and facilities themselves. Some problems with implementations are noted in https://gcn.com/blogs/cybereye/2018/04/piv-cards.aspx

  5. I’m a little confused… Can some please point me to the best / most effective Key I order online?

    Thanks.

    • Yubiko is the key most often recommended and can be had from Amazon for $20 – $60 depending on the model.

  6. I think its about time, especially as large as this country is to begin using electronic devices to authenticate who we are. Instead of trying to remember a password each time.

  7. YES !!! I agree with Raaju (7-24-18.12:19am)
    I thought that I was understanding the YUBICO security key… However, the more comments I read the less I understood.
    As a single user, non-corporate / non-gov – – user; what would I need and what to do ? I thought that I could use the yubico key to log-in to my Google account (correct)?
    Then, do I have the option to use the yubico key for web-sites I visit and if those sites support it ? If they don’t support it, then do I omit the key support ? or is that possible. If there are only a hand full of websites that support this key am I wasting my time & $ to use it only on my google account log-in ?
    Should anyone reply to this – Please do so in simple english; that a individual, nonprofessional user can understand. I am interested in this, but don’t know if I should be…. Thank You, John

  8. In Firefox 61 (latest Firefox Quantum), there are new settings in “about:config”:

    security.webauth.webauthn: default=true
    security.webauth.webauthn_enable_softtoken: default=false
    security.webauth.webauthn_enable_usbtoken: default=true

    (The other setting “security.webauth.u2f” still appears with default=false.)

    I think that sites with webauthn should work with out-of-the-box Firefox 61 and newer. Haven’t checked yet.

  9. We went a bit of a different route. Check out Ericom Shield.

  10. I can definitively say that I will never use a security key in my personal life.

    A password can be written down and shared with a loved one, for use if I’m ever sick or dead. If I forget a password, I can open my papers and find it easily.

    What will I do if the security key breaks or is lost? How will my loved ones share access to my accounts, if my security key is with me on vacation?

    Just because it’s not currently practical to duplicate a security key doesn’t mean it’s impossible. It offers only the illusion of security and at a high cost.

    I see it as an unnecessary and wasteful expense for personal use. I also see it as a hindrance to continuity of account access among loved ones.

    • I wouldn’t say ‘never’ on using security keys, but you point out many of the current problems.

      For cases of no fallback authentication, you need at least 3 keys to prevent an unrecoverable account: 1 with you, 1 at home, 1 stored in separate location to handle destruct by fire case.

      There still needs to be a username + password given to clarify which user is wanting to use the key, and prevent loss of a mobile device + key giving a finder full access to the mobile device.

    • Most services let you register more than one key to the same account (you are in fact recommended to, for recovery in case one is lost), so you can register both your own and your loved one’s key to your account and you can both access it as usual.

  11. Well, in the scenario of using just one U2F Security Key on either a PC, Android, or iOS device, you may find FEITIAN MultiPass is the only solution.

    BTW, Google is also using this Security Key protecting its employees’ accounts.

    https://www.ftsafe.com/Products/FIDO

  12. You may want to consider using web-based Protonmail for your encrypted email needs.

  13. I’ve been using YubiKeys with LastPass since that option became available. Doing that, plus taking advantage of the password manager’s ability to generate and easily store, manage and fill in different, complex passwords for each website, make it a solid option. The YubiKey in this application is only used as a OTP to supplement the master password.

    There is a lot of confusion out there, over terminology: U2F is not the same as OTP.

    For example, the article erroneously claims LastPass supports FIDO U2F. They do not, and it has been a major irritation that they refuse to do so with the classic “you go first” argument: they won’t do it until all the major web browsers do. Instead, they use a OTP generator, either in hardware (original YubiKey or Authy or Google Authenticator). The original YubiKey only supported a couple of OTP technologies, and U2F was added later, to the $50 models.
    By contrast, the inexpensive U2F-only keys, like the Feitian products, only support U2F, not OTP.

    It’s also important to understand the history: Google has been using U2F for many years. Google was a co-developer of U2F. I was a beta tester of the first Yubico-manufactured U2F keys, built for Google and used solely on Chrome Browser and Chrome OS. However, that original (and still available) option to use a U2F key for 2FA can be bypassed if necessary, by using a backup method of exchanging a one-time PIN.

    What’s new and different about “Advanced Protection” is this: under Advanced Protection, those backup 2FA options are removed, so a perpetrator can’t phish their way in, by invoking one of the less-secure recovery options — they must have your physical key.

    Finally, I think it was mentioned in the Wired article, that you’ll need to carry both keys with you (in your pocket or on a key chain). This is a terrible idea, as you could lose both of those keys at once. Either do that and get a third key, or only carry one key at a time.

    • This is an important distinction re: LastPass. The article should be updated to reflect this as the whole point of U2F is to prevent the phishing methods available for OTP 2FA. Claiming that LastPass supports U2F is incorrect.

  14. Regarding encrypted email in Gmail, i find Mailvelope very useful,

    Then you can still use your Gmail or Outlook address with PGP encrypted communication.

  15. I generally love Advanced Protection, but it’s a bit frustrating they require Chrome for it. FF has u2f, there’s literally no need for that Chrome requirement other than vendor lock-in. I use FF as my daily, so I literally just have to have a Chrome installed to deal with the occasional Google stuff.

  16. What about browser plugins for Gmail PGP/GPG?
    https://superuser.com/questions/480270/how-can-i-use-encryption-with-gmail
    Flowcrypt and Pandor might also be options (for Chrome at least)

  17. Does the USB key work with mobile devices such as Android phones and tablets? Seems like a pretty big limitation of it doesn’t for a world that is mostly mobile already.

    • The YubiKey Neo uses NFC to communicate with a phone. No USB required. I’ve found not many apps support the Neo on Android however.

  18. That is pretty impressive to have that much success on that volume of employees. I wonder how many fall under the advanced protection program?

  19. This article overstates the protection provided by security keys. Yubico makes it clear that Yubikeys solved the account takeover problem, not the entire phishing problem.

    https://www.yubico.com/about/reference-customers/google/

    That still leaves these phishing problems which are not account takeovers:

    – If you trust the machine, then you can log on to that machine (and so can the bad guy) without the device

    – Every app doesn’t support these devices, so some stolen username/passwords remain valuable

    – Users can still load malware from attachments and evil websites. These undefended compromises could be ransomware, remote command and control, spyware, keystroke catchers, lateral movement, privilege escalation, etc.

    – The business email compromise doesn’t use stolen credentials. The authorized person with the credentials enters the bad data following instructions from the phisher. The FBI found that the business email compromise was the leading internet crime.

    – Protected sessions can be hijacked, so the bad guy merely uses remote C&C to monitor when the user starts a session.

    – Users can still divulge data in email correspondence. Like giving up payroll tax returns or merely providing information in the text of communications.

    Security keys provide an important layer of protection. They don’t solve the phishing problem.

  20. Very intrigued by U2F and will end up getting one. I’m curious as to your thoughts on push authentication such as Duo. You need the app on your phone and it sends a push auth acknowledgment. I say that is better than SMS/text code for two factor. I still feel it is just underneath U2F in terms of auth hierarchy.

  21. This prevents account takeovers, but doesn’t seem to do anything about malware attacks that come through phishing. Seems like it leaves people open to ransomware and other kinds of malware. If I am misunderstanding the purpose, plz correct me, but seems like this should make clear that it protects against account hijacking, not phishing attacks in general.

  22. Brian, interesting article and I agree it is strong authentication. Our Clint went 9 years totally protected before switching to a different online banking system and dropped our solution against the wishes of their IT Manager. So Brian, did you have a change of heart, as I remember you being very skeptical about both our hardware and software tokens? I’m glad to see you have learned more over time as anytime you remove the human element from just one of the security factors you then provide very strong authentication. However, I understand that OHVA, Inc. was not Google!

  23. Michael McMillan

    A couple of years ago I was driving lyft in Silicon Valley, and attempted to return one of these to a google staff person who accidentally left it in my car. After 3 levels of escalation a supervisor told me to throw it out because they had no simple way to determine who owned a physical key.

    I realized quickly that that is both genius and inconvenient, then dropped it in the trash can that they could see while I was on camera.

  24. Robert Morgan

    Please insert hardware key for 2 factor authentication.

    [Key is copied, emulated as a usb device, boom you’re done)

    • Robert – that’s not how they work. The device is not just a chunk of USB data that can be copied. There’s a CPU and memory inside, and the keys that are stored CANNOT be read out. They can be used within the device (e.g. to encrypt or decrypt something). But the keys cannot be exported.

  25. Anyone know anything about the supposed Yubico alternative, Feitian Epass?

    https://fidoalliance.org/product/epass-fido-nfc-security-key/

    I wonder what it’s worth, there’s very little information about it… (by the way, why the heck does this comment form keep telling me to input name and email, when I already have done that *twice*?)

  26. A couple months ago, I asked Vanguard (investment company) how I could avoid using SMS codes for sign in. I was advised to purchase a YubiKey token which I did. Now I’m told I must still have “Security Codes(SMS)” and cannot have just a “Security Key(YubiKey)”. You are given the option to login using “Security Codes” if you don’t have your “Security Key” on you. There is no additional security in having the Yubikey if it is still possible to sign in with the SMS Security Codes. I feel like I wasted my money on the YubiKey.

    • That’s correct – today the Yubikey is just a convenience on Vanguard since it’s faster than handling an SMS code sequence.

      They could increase security of the key at any time in the future by coming up with other ways of fallback authentication such as US mail (with a multi-day wait).

  27. This will not work for some environment where access to external devices are blocked. Really the best 2fa device to use is your smartphone.

  28. Larry-IT learner

    “Indeed, prior to 2017 Google employees also relied on one-time codes generated by a mobile app — Google Authenticator.”
    So does this indicate that Google doesn’t consider Authenticator secure?

  29. I see lot of good statement and so that might be good but may be to personal.
    You have to notice that yubikey mes support lot of authN standards, some are proprietary others not :
    – U2F
    – TOTP
    – OATH
    – FIDO2 (coming soon)
    – vSmartCard (CCID/PKCS#11/xx)

    Choosing between all of them is a question of security requirements vs functional aspects (UX, Integration with other endpoints services WebAuth, Windows/MacOS logon etc) , in the other hand You have to remind that smartcard use a PIN and could be integrated with many many security solutions like last pass for a better integration with other website (on the public side), on the enterprise side you can use asym keys to cover the CIA triad (confidentiality, integrity , availability) , some enterprise already have a self service mode with keys to claim a new one if they are stolen/lost. What I’ve noticed one time in all the comments unfortunately is the security of the cheap , who can tamper/alter/brake the physical security of a yubikey right now ? I think only a couple of person around the world so what about all your software vendor who recommend using soft Token smartphone 😀 have you ever measured the physical security of your smartphone vs Yubikey even the most basic one FIPS compliant…do you trust Apple or Samsung more or less than Yubico or any other member of Fido alliance ?

  30. Hi Google,
    After reading this little article I want to know where can I get one of those for safety I am 69 years young and I’m starting up my own little business and I need for my devices to be secure where can I get it you have my email please send me all the particulars thank you
    Chris R. Casson