Sure, you can get a one-time code sent to your mobile phone and use
that code, with your password, to try to fend off takeovers of Google, Yahoo or iCloud accounts, among others.
But can you be assured that a sophisticated phisher hasn't spoofed a site to trick you into handing over your one-off code?
No, you can't, and that's why Google's decided to ratchet up the security of two-step verification (2SV) even tighter.
On Tuesday, it announced
that it's adding support for a physical USB second factor that will
first verify the login site as being a true Google website, not a fake
site pretending to be Google, before it hands over a cryptographic
signature.
What this means is that instead of typing in a code from their mobile
phones, users who opt for the USB approach will just insert a USB
enabled by the FIDO Universal 2nd Factor (U2F) standard - or what
Google's calling a Security Key - into their computers' USB port, then tap a button on the USB at Chrome's prompt.
That should block sites trying to phish your credentials away, says Nishit Shah, Product Manager at Google Security:
Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google.
We write about two-step verification often. We urge companies to offer it, and we advise users to take advantage of it whenever possible.
That's because we think it's the easiest and most effective way for
web properties and other internet services to raise the bar against
stolen passwords.
Google's offering Security Key free on its end, but given that the
USB drives themselves will be coming from third parties, yes, it does
mean that you'll have to buy yet another drive to add to your
collection.
Google's Security Key is actually the first deployment of FIDO.
Google says it's hoping that other browsers besides Chrome get on board,
but for now, that means that your new stick will only work with Chrome.
Hopefully, Google says, at some point, that one Security Key USB
drive will unlock your online self all over the place, as opposed to
having your pockets bulge with a key ring bogged down with a clanking
collection of drives:
Security Key and Chrome incorporate the open Universal 2nd Factor (U2F) protocol from the FIDO Alliance, so other websites with account login systems can get FIDO U2F working in Chrome today. It’s our hope that other browsers will add FIDO U2F support, too. As more sites and browsers come onboard, security-sensitive users can carry a single Security Key that works everywhere FIDO U2F is supported.
A few other good things about a USB 2SV device: unlike your phone,
neither a dead battery nor lack of a data connection will thwart it.
Heck, one of the third-party USB drives is also apparently rugged enough to go through the spin-cycle when caught up in one Amazon reviewer's laundry:
Great hardware! (My little token has survived an accidental run through the washer & dryer!)
Is there anything potentially bad about this? Well, as commenter
Chris Drake noted on Google's post, some of us might be constrained, in
security-sensitive workplaces, not to plug arbitrary USB keys into
workstations.
Interesting point, particularly given that it was just a few months ago that BadUSB
had us wondering if we could ever trust a USB device again, what with
their newfound ability to be turned into covert keyloggers, malware
spreaders or boobytrappers of backup files.
Hopefully, the third-party USB drive makers using FIDO are on top of that, but we'll let you know if we learn otherwise.
As for plugging drives in at your workstation, please do check with your IT department first.
0 comments:
Post a Comment