[Cryptography] How Google's Physical Keys Will Protect Your Password

[Bayuk]

> On Oct 30, 2017, at 4:08 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> 
> Somewhat less snarkily, is there anything actually novel here, or is 
> it just really old news that's new again because the term "Google" is 
> attached?  I can't see anything to get excited about.  It's not even 
> "Google's Keys", it's someone else's stuff that Google has adopted.

I administer a small Gsuite domain and purchased a key from Yubico (for $50 instead of the $20 reported in the article, because it had NFC and I thought it might work with my iphone - it doesn't). It seems to work just like any other hard token that can be reduced to a soft token. As the Times points out, it only works with Google apps, and I did not see an option to use it with OAUTH. It is also just one type of second step in a more holistic "two-step verification feature" that a user turns on.

In practice, Gsuite did not require identify verification often, I enabled it a few months ago and it seems I only get asked to plug in my key when I am on a new device or clear my cache. Not even after reboot. If I don't have it handy, I can tell it to send me a text instead. I suppose it may time out or have some suspicious meter, but I don't see a setting that is configurable. Google also allows end users to generate emergency keys and save them to desktops, and these emergency keys (5 at a time) can be used in place of the token. IMHO, this feature puts a just little too much trust in end user behavior.

The administrative settings for two-step verification are: "on", "on but not enforced", and "off". So you can leave it up to users if they want to use it or not. This is a feature. I do not see a way to enforce the hard token over the cell phone or emergency authentication methods. My guess is that they are still refining how they think it should work.