[Cryptography] How Google's Physical Keys Will Protect Your Password

[Henry Baker]

FYI --

https://www.nytimes.com/2017/10/25/technology/personaltech/google-keys-advanced-protection-program.html

How Google's Physical Keys Will Protect Your Password

By BRIAN X. CHEN and NICOLE PERLROTH OCT. 25, 2017

Why won't the password just go away?  The silly pet names, movie
titles or sports teams that many people punch in to get into their
online accounts are a weak spot that hackers continue to puncture.

Yet passwords remain the primary way we log in to online accounts
containing our personal and financial information.  Google has a new
pragmatic solution: Embrace the password, but lock it down with extra
physical security.

The company this month released its Advanced Protection Program, which
is meant to make stealing your password pointless.  To use it, you'll
need two inexpensive physical keys to log in to your Google account on
your computer and smartphone.

https://www.blog.google/topics/safety-security/googles-strongest-security-those-who-need-it-most/

This way, even if hackers stole your password in a data breach or
successfully phished for it, by tempting you to hand over your
credentials on a fake login page, they couldn't do anything unless
they got their hands on the keys as well.  And minimizing risk with
minimal effort is a boon to anyone who cares about online security.

"I am a big fan of this," said John Sabin, a former hacker for the
National Security Agency.  "It's probably the easiest and most secure
multifactor for the masses."

The physical keys are an evolution of two-factor authentication, an
extra security layer to ensure that your password is being entered by
you.  Google was one of the first companies to start offering
two-factor authentication back in 2010, not long after it learned that
it had been hacked by state-sponsored Chinese hackers.

After the attack, Google's security team came up with a motto: "Never
again."  The company later rolled out two-factor authentication for
Google customers' Gmail accounts.  It involved text messaging a unique
code to your phone that you must type in after entering your password
in order to log in.

Unfortunately, those text messages can be hijacked.  Last month,
security researchers at Positive Technologies, a security firm,
demonstrated how they could use vulnerabilities in the cellular
network to intercept text messages for a set period of time.

The idea of Google's Advanced Protection Program is to provide people
with a physical device that is much harder to steal than a text
message.  Google is marketing the program as a tool for a tiny set of
people who are at high risk of online attacks, like victims of
stalking, dissidents inside authoritarian countries or journalists who
need to protect their sources.

But why should extra-tough security benefit such a small group?
Everyone should be able to enjoy stronger security.

So we tested Google's Advanced Protection Program and vetted it with
security researchers to see if the program could be used by the
masses.  The verdict: Many people should consider signing up for the
security system and buying a pair of keys.  But if you are married to
some non-Google apps that are not yet compatible with the keys, you
should wait and see if the program matures.

Setting Up Advanced Protection

Anyone with a Google account can sign up for the security program on
Google's Advanced Protection webpage.  To get started, you will have
to buy two physical keys for about $20 each.  Google recommends buying
one from Feitian and another from Yubico.

https://landing.google.com/advancedprotection/

https://www.amazon.com/Feitian-MultiPass-FIDO-Security-Key/dp/B01LYV6TQM

https://www.amazon.com/Yubico-Y-123-FIDO-U2F-Security/dp/B00NLKA0D8

The keys, which look like thumb drives and can fit on your key chain,
contain digital signatures that prove you are you.  To set one up, you
plug the key into a computer USB port, tap a button and name it.  (The
Feitian key wirelessly communicates with your smartphone to
authenticate the login.)  This process takes a few minutes.

On a computer and a smartphone, you need to log in with the key only
once, and Google will remember the devices for future logins.  That is
more convenient than traditional two-factor authentication, which
requires entering a unique code each time you log in.

But there are trade-offs.  Google's Advanced Protection cuts off all
third-party access by default, allowing only applications that support
its security keys.  For the time being, that means only Google's Gmail
mail app, Google's Backup and Sync app, and Google's Chrome browser.

On an iPhone, for example, you will have to use Google's Gmail or
Inbox apps for email, and on a computer, you can use only the Chrome
browser when signing in with a browser.  So if you rely on Apple Mail
to gain access to your Gmail on an iPhone, or if you use Microsoft
Outlook for getting into Gmail on a PC, you're out of luck.  Google
says its goal is to eventually allow third-party apps to work with the
program, but it is also up to other companies to update their apps to
support the keys.

Testing the Security

Despite the drawbacks, security researchers agree that the Advanced
Protection Program is a solid piece of security and relatively
painless to use, even for everyday use for people outside
high-security jobs.

Mr. Sabin, the former N.S.A. hacker, who is now a director of network
security at GRA Quantum, a security consulting firm, said the physical
keys had pros and cons.  On one hand, if you lose a key, a hacker
would have a hard time figuring out which account it was associated
with.

On the other hand, if you lose the keys or don't have the keys around
when you need to log in to a new device, it takes longer to regain
access to your account.  Google has put in place more elaborate
recovery steps for Advanced Protection users, including additional
reviews and requests for details about why users have lost access to
their account.  In our test, we answered security questions to try to
recover an account, and Google said it would review the recovery
request and respond within a few days.

Runa Sandvik, the director of information security at The New York
Times, said the keys were not much of a hassle.  She said Google's
requirement of using two keys meant you essentially had a spare: If
you lose one key, you can get into your account with the remaining
key.

But she noted that the keys could get annoying if you used many
devices and constantly needed to carry the keys around to log in to
your account.  That may be an issue for people who work in the
technology industry, but most people probably use only one computer
and one phone.

Ms. Sandvik, who has been testing Google's program to assess whether
to recommend it to the newsroom, said she had not yet discovered
vulnerabilities in the security key system outside of the slim
possibility that a hacker gained possession of both your password and
your key.

"It's something that is relatively easy to set up once you have both
keys," Ms. Sandvik said.  "I don't see a reason you shouldn't turn
this on."

The Bottom Line

While the security keys are easy to set up and provide tough security,
they may be disruptive to your productivity if you rely on apps that
are incompatible with the keys.

It took a few minutes for us to migrate to Google's apps from Apple's
and integrate them into our newsroom workflow, which already relies on
Google's mail, messaging and cloud storage services.  But using the
keys required sacrificing an important feature -- Apple's
V.I.P. alerts, which notify you when people you deem important email
you.  Google's iOS apps for Gmail and Inbox lack a similar feature.
For people with flooded inboxes, lacking V.I.P. alerts makes sifting
through emails time-consuming.

Another example of how the keys can stifle productivity: Many
employers still require using the Microsoft Outlook app for email,
which won't work with the keys.

If using Google's security program would disrupt your work, you may
want to wait for more companies to update their apps to support the
keys, which rely on a standard called FIDO, for Fast Identity Online.
Mr. Sabin predicts that many apps will follow Google's lead.

https://fidoalliance.org/about/overview/

If you decide to wait, don't procrastinate on turning on traditional
two-factor authentication that relies on text messages.  While it is
hackable, it is still much safer than relying on a password alone to
protect you.

The question is how long it will take security researchers to find a
way to hack the physical keys as well.  When asked if he had already
circumvented physical multifactor authentication devices like Google's
keys, Mr. Sabin would offer only: "No comment."

A version of this article appears in print on October 26, 2017, on
Page B6 of the New York edition with the headline: Google's Security
Key Works, With Limits.