[Cryptography] How Google's Physical Keys Will Protect Your Password

Bayuk jennifer at bayuk.com
Mon Oct 30 18:04:18 EDT 2017

> On Oct 30, 2017, at 4:08 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> Somewhat less snarkily, is there anything actually novel here, or is 
> it just really old news that's new again because the term "Google" is 
> attached?  I can't see anything to get excited about.  It's not even 
> "Google's Keys", it's someone else's stuff that Google has adopted.

I administer a small Gsuite domain and purchased a key from Yubico (for $50 instead of the $20 reported in the article, because it had NFC and I thought it might work with my iphone - it doesn't). It seems to work just like any other hard token that can be reduced to a soft token. As the Times points out, it only works with Google apps, and I did not see an option to use it with OAUTH. It is also just one type of second step in a more holistic "two-step verification feature" that a user turns on.

In practice, Gsuite did not require identify verification often, I enabled it a few months ago and it seems I only get asked to plug in my key when I am on a new device or clear my cache. Not even after reboot. If I don't have it handy, I can tell it to send me a text instead. I suppose it may time out or have some suspicious meter, but I don't see a setting that is configurable. Google also allows end users to generate emergency keys and save them to desktops, and these emergency keys (5 at a time) can be used in place of the token. IMHO, this feature puts a just little too much trust in end user behavior.

The administrative settings for two-step verification are: "on", "on but not enforced", and "off". So you can leave it up to users if they want to use it or not. This is a feature. I do not see a way to enforce the hard token over the cell phone or emergency authentication methods. My guess is that they are still refining how they think it should work.

More information about the cryptography mailing list