Tag: security token

U2F-compliant security keys now seen as phish-proof

Articles

Facebook login page

It is being proven that the use of a hardware security key is making the login experience phish-proof

Google Employees’ Secret to Never Getting Phished Is Using Physical Security Keys | Gizmodo

U2F Security Keys Show Extreme Effectiveness Against Phishing | Tom’s Hardware

Google: Security Keys Neutralized Employee Phishing | Krebs On Security

My Comments

An issue that is being raised regarding SMS-driven two-factor authentication is that it can be used to facilitate phishing and other fraud against the user’s account. Here, it relies on the user receiving an SMS or voice call with a key value to enter in to the login user interface and this is totally dependent on the SMS or call being received at a particular phone number.

The area of risk being highlighted is that the user could be subjected to social engineering to “steer” their phone number to a mobile device under the hacker’s control. Or the IT infrastructure maintained by your mobile telephony provider could be hacked to “steer” your phone number somewhere else. The ease of “steering” your mobile phone number between devices is brought about thanks to a competitive-telephony requirement to “port” mobile or local numbers between competing telephony-service providers if a subscriber wishes to “jump ship” and use a different provider.

Google have proven that the use of hardware security keys that are part of the FIDO Allance’s U2F (Universal Second Factor) ecosystem are more secure than the SMS-based second-factor arrangement used by most online services. This is a “follow-on” from the traditional card-size or fob-size security token used by some banking services to verify their customers during the login process or when instantiating certain transactions.

Here, Google issued all their employees with a U2F-compliant security key and made it mandatory that their work accounts are secured with this key rather than passwords and one-time codes.

Most of these keys are connected to the host computer via plugging them in to a vacant USB port on that host. But there are or can be those that use Bluetooth and / or NFC “touch-and-go” technology to work with mobile devices.

Why are these U2F security keys more secure than the SMS-based two-factor authentication or app-based two-factor authentication? The main reason is that the U2F security key is a separate dedicated hardware device that works on an isolated system, rather than a backbone system dependent on mobile-telephony infrastructure or software that runs on a computer device that can be exposed to security exploits.

For most users, the concept of using a U2F-compliant security key for their data relates it to being the equivalent of the traditional key that you use to gain access to your home or car as in something you possess for that purpose. Most U2F-compliant security keys that use USB or Bluetooth would also require you to press a button to complete the authentication process. Again this is similar to actually turning that key in the lock to open that door.

This has underscored the “phish-proof” claim because a person who uses social engineering to make an attempt on the user’s credentials would also need to have the user’s security key to achieve a successful login. It is something that is similar to what happens when you use an ATM to withdraw cash from your bank account because you need to insert your account card in the machine and enter your PIN to commence the transaction.

What kind of support exists out there for U2F authentication? At the browser level, currently Chrome, Opera and Firefox provide native support but Firefox users would need to enable it manually. At the moment, there isn’t much production-level support for this technology at the operating-system level and a handful of applications, namely password-vault applications, provide native support for U2F authentication.

The issue of providing support for U2F authentication at the operating-system level is a real issue thanks to operating systems having an increased amount of native client-level support for online services “out of the box”. It also includes the use of Web browsers that are developed by the operating system’s vendor like Edge (Microsoft Windows) and Safari (Apple MacOS and iOS) with the operating system set up “out of the box” to use these browsers as the default Web browser. As well, Microsoft, Google and Apple implement their own platform-wide account systems for all of the services they provide.

Other questions that will end up being raised would be the use of hardware-key authentication in the context of single-sign-on arrangements including social-sign-on, along with the 10-foot lean-back user experience involving the TV set. The former situation is underscored through the popularity of Google, Facebook and Microsoft as user credential pools for other online and mobile services. This is while the latter situation would underscore console-based online gaming, interactive TV and video-on-demand services which are account-driven, with the idea of being able to support simplified or “other-device” user authentication experiences.

What has been proven is that easy-to-use dedicated security keys are a surefire means of achieving account security especially where the main attack vector is through social engineering.

Mobile codes to boost Google account security | Security – CNET News

 

Mobile codes to boost Google account security | Security – CNET News

My comments

Google have worked on a way of improving security for Web-page login experiences because these login experiences are easily vulnerable to phishing attacks.

What is this technology

This method is similar to a hardware security “token” used by some big businesses for data security and increasingly by some banks to protect their customers’ Internet-banking accounts against phising attacks. This is a device that you keep with you in your wallet or on your keyring which shows a random number that you key in to a login screen alongside your user name and password and is based on “what you have” as well as “what you know”.

This time, the function of this “token” is moved to the mobile phone which nearly all of us have on ourselves. It will appear as a smartphone “app” for the Blackberry, Android or iPhone platforms that shows the random code number or will operate in the form of your phone showing an SMS with the token code or you hearing a code number from a call you answer on that phone. Of course, you will register your mobile number with Google to enable this level of security.

The direction for the technology

Google are intending to use it with their application platform which covers GMail, Adsense, Analytics, Picasa and other Google services. Initially it will be tried with selected user groups but will be available to the entire user base.

They will provide an option to avoid the need to use this “Google codes” system on the same computer for a month, which would appeal to users who work with their GMail account from their netbook or desktop PC. They will still need to have this work if they “come in” to their GMail account from another computer and it will work if someone else uses the same PC to check on their GMail.

What I am pleased about with this is that they intend to “open-source” this system so that it can be implemented in to other platforms and applications. Similarly, the “apps” can then be ported to newer smartphone platforms or “baked in” to other PDAs and similar devices. As far as the “apps” are concerned, I would like to allow one piece of code to service multiple service providers rather than loading a smartphone with multiple apps for different providers.

Making the home network secure

I would like to see this technology being tried out as a method of securing devices that use Web-based data-access or management interfaces, similar to D-Link’s use of CAPTCHA for securing their home-network routers’ management login interfaces. This is becoming more so as nearly every home uses a wireless network router as the network-Internet “edge” for their networks. Similarly, there is an increasing tendency to use a network-attached storage for pooling data to be available across the network or as backup storage and most of these units use a Web-based user interface.

Conclusion

One feature that I like about this Google project is that they have applied a security technology normally available to big business and made it available to small business and consumer users.