[Cryptography] How Google's Physical Keys Will Protect Your Password

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Nov 2 21:12:03 EDT 2017

John Levine <johnl at iecc.com> writes:

>My bag is already too full of junk, and a dongle plus adapter cable is not
>high on my list of things I want to add, nor that I want to dig out every
>time my plane lands in a different country, my phone number changes, and
>Google wants me to log in again.

And that, generalised to be non-Google-specific, is why hardware-token 2FA has
failed to achieve any penetration despite twenty years of effort, and why it
will continue to fail to achieve any penetration for the rest of eternity.

It's also why companies shell out a fortune for SecurID gear, because they're
the closest 2FA you can get to the most usable authentication mechanism there
is, passwords (see e.g. "The quest to replace passwords: A framework for
comparative evaluation of web authentication schemes").


More information about the cryptography mailing list