[Cryptography] How Google's Physical Keys Will Protect Your Password

John Ioannidis jayeye at gmail.com
Mon Oct 30 21:59:42 EDT 2017

On Mon, Oct 30, 2017 at 6:04 PM, Bayuk <jennifer at bayuk.com> wrote:

> > On Oct 30, 2017, at 4:08 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz>
> wrote:
> >
> > Somewhat less snarkily, is there anything actually novel here, or is
> > it just really old news that's new again because the term "Google" is
> > attached?  I can't see anything to get excited about.  It's not even
> > "Google's Keys", it's someone else's stuff that Google has adopted.
> I administer a small Gsuite domain and purchased a key from Yubico (for
> $50 instead of the $20 reported in the article, because it had NFC and I
> thought it might work with my iphone - it doesn't). It seems to work just
> like any other hard token that can be reduced to a soft token. As the Times
> points out, it only works with Google apps, and I did not see an option to
> use it with OAUTH. It is also just one type of second step in a more
> holistic "two-step verification feature" that a user turns on.
> In practice, Gsuite did not require identify verification often, I enabled
> it a few months ago and it seems I only get asked to plug in my key when I
> am on a new device or clear my cache. Not even after reboot. If I don't
> have it handy, I can tell it to send me a text instead. I suppose it may
> time out or have some suspicious meter, but I don't see a setting that is
> configurable. Google also allows end users to generate emergency keys and
> save them to desktops, and these emergency keys (5 at a time) can be used
> in place of the token. IMHO, this feature puts a just little too much trust
> in end user behavior.
> The administrative settings for two-step verification are: "on", "on but
> not enforced", and "off". So you can leave it up to users if they want to
> use it or not. This is a feature. I do not see a way to enforce the hard
> token over the cell phone or emergency authentication methods. My guess is
> that they are still refining how they think it should work.
Yubikey was actually developed in collaboration with Google. Unlike much of
Google's UX, it just works without being a pain (the two may not be
unrelated). The same key supports multiple independent providers, so I
don't have to keep swapping keys to authenticate to different sites. I just
love it, I wish my bank would also support it.

Pretty much the only service that I use that does not support it is AWS,
for reasons I cannot fathom; maybe the Dread Pirate Bezos hates their CEO.

As for names: Apple didn't invent the mouse, the windowing UI, or the
smartphone, but they are the ones who made that technology widely available
(mostly through excellent marketing, but that's not the point).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20171030/0b55d034/attachment.html>

More information about the cryptography mailing list