Jump to content

Physical keys give Google services added security


Ponting

Recommended Posts

1414125038788.jpg

A U2F device, such as this one from Yubico, can provide an extra layer of security

People who use Gmail and other Google services now have an extra layer of security available when logging into Google accounts. The company has incorporated into these services the open Universal 2nd Factor (U2F) standard, a physical USB-based second-factor sign-in component that only works after verifying the log-in site is truly a Google site.

The U2F standard is a product of the FIDO (Fast IDentity Online) Alliance, an industry consortium that has been working to come up with specifications supporting a range of more robust authentication technologies, including biometric identifiers and USB security tokens.

The approach announced by Google on Friday essentially offers a more secure way of using the company's two-step authentication process. For several years, Google has offered an approach that it calls "2-Step Verification", which sends a one-time pass code to the user's mobile or land-line phone.

This verification process makes it so that even if hackers manage to steal your password, they still need access to your mobile or land-line phone if they are trying to log in with your credentials from a device that Google has not previously seen associated with your account. As Google notes in a support document, security key "offers better protection against this kind of attack, because it uses cryptography instead of verification codes and automatically works only with the website it's supposed to work with".

Unlike a one-time token approach, the security key does not rely on mobile phones (so no batteries needed), but the downside is that it does not work for mobile-only users because it requires a USB port. Also, the security key does not work for Google properties on anything other than Chrome.

The move comes after Apple launched its Apple Pay platform, a wireless payment system that takes advantage of the near-field communication (NFC) technology built into the new iPhone 6, which allows users to pay for purchases at participating merchants merely by tapping the phone on the store's payment terminal.

I find it remarkable that Google, Apple and other major tech companies continue to offer more secure and robust authentication options than are currently available to consumers by their financial institutions. I, for one, will be glad to see Apple, Google or any other legitimate player give the entire mag-stripe based payment infrastructure a run for its money. They could hardly do worse.

Soon enough, US government websites may also offer consumers more authentication options than many financial sites. An executive order announced last week by the White House requires the National Security Council staff, the Office of Science and Technology Policy and the Office of Management and Budget to submit a plan to ensure that all agencies making personal data accessible to US citizens through digital applications implement multiple layers of identity assurance, including multi-factor authentication. Verizon Enterprise has a good post with additional details of this announcement.

Source: http://www.smh.com.au/it-pro/security-it/physical-keys-give-google-services-added-security-20141024-11bahu.html

Link to comment
Share on other sites


  • Replies 1
  • Views 1.3k
  • Created
  • Last Reply

Google announced on its security blog an extra layer of security for Google Accounts based on the emerging strong authentication standard; Universal 2nd Factor or U2F.

This is a good day for the Internet.

As a driving contributor to FIDO U2F specifications, Yubico celebrates this big day by releasing a new blue campaign version of our YubiKey that is designed to work with U2F support Google has added to Chrome. This U2F-only Security Key, as well as our multi-technology YubiKey NEO, pioneers the market for U2F devices.

This U2F support is a milestone in a standards journey that began a couple of years ago. Along with Internet thought leaders, we recognized the advantages of high-security, public key cryptography for scalability and for protecting against advanced Trojans, phishing and man-in-the-middle attacks. With a mission to make great security available for every Internet user, we decided to focus on the essential; to keep it really lean.

Below is a short summary of the main differentiators between U2F security keys and traditional smart card- and hardware-based authentication devices:

  • No need for drivers, client software and middleware – Uses native drivers and built-in support directly into the browser. No installation, no configuration – just works !
  • Highly scalable while protecting your privacy - Generates a new set of encryption keys for every service, that is only stored on the specific service it connects to. With this approach no secrets are shared among service providers, and even low-cost security keys can support any number of services.
  • Great user experience – To register and authenticate, all it takes is a simple touch of a button!

In January 2013 Wired Magazine first wrote about the U2F project. As a response to all the inquiries Yubico received, we published a blog summarizing our vision of a single key for securing access to all Internet. Since then, U2F has continued to develop within the FIDO Alliance open standards consortium.

And now our vision has been turned into reality.

You can get your own FIDO U2F Security Key today at Amazon.com. A key that you own and control allowing you to securely login into your Google Account, which lets you access services such as Gmail. The same is true for any number of service providers who choose to adopt simple and strong Universal 2nd Factor authentication.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...