[Cryptography] Google Titan Security Keys
Michael Nelson
nelson_mikel at yahoo.com
Mon Jan 7 19:06:34 EST 2019
I'm wondering how the Google Titan Security Keys work for 2FA. I'm not sure what's going on under the surface here. The Google blurb, and write-ups on various middle-brow sites, just say something like: "You enter a URL in your browser, and put in your username, and you are prompted to stick your USB/Bluetooth key where it belongs. This authenticates you based on a secret key protected in the physical key."
There was a demo phishing attack recently on LinkedIn, where the phishing site acted as MITM to LI. The user entered two factors of some 2FA (not Google Security Keys as I recall), which were happily proxied to LI, giving the phisher login access.
So with this Google key, does it do anything other than protect the 2nd factor key in a handy portable form. I presume it presents itself as a keyboard and types into the browser window. Does it somehow enforce the target URL in a way that would defeat the LI attack?
The Google key is based on the FIDO/WebAuthn spec. I slogged through that stuff a year ago, and have forgotten it. Maybe part of the answer is in there. If so, can someone have mercy and save me from reading that again...
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20190108/858ed462/attachment.html>
More information about the cryptography
mailing list