Having a high-security option will be useful for more than executives and politicians. Lawyers, doctors, Equifax employees — anybody who touches highly sensitive data will benefit.
Email is used as a privilege escalation path to pwn almost every other service we use. And we're finding that 2FA isn't the ultimate answer — OTPs are easy to phish, SMS can be socially engineered around without much difficulty, etc. As the value of digital data keeps going up, the sophistication of hacking groups and governments has gone up as well.
A highly secure browser connecting to an account with limited API access using a physical token is an excellent step. I'll buy it myself if it isn't obscenely expensive.
Some sort of 2FA done on a USB device might help. I'm thinking something open and free. The user can just extract, probably programmatically, the software to their own USB device and enter/configure any needed information.
Then, online accounts could query the device and see if there's a key that matches what was made when they setup the account or added 2FA. Each account could have its own key, associated with the owner's master key, and it'd have to match the one on file - something like that.
I imagine it's have to be standardized and easy for site owners to implement. I guess it could also be done at some central location using something like OAuth, though individual sites should be able to add it - and fairly easily, and for just the cost of learning to add it. Maybe make it fairly simply, as easy as LetsEncrypt - or even easier.
Now, in my head, they'd enter their username (no password yet) and that's when the check would be performed. The site would request the token from the USB and the USB would request the token from the site. If the two match whatever criteria the security gurus come up with, they are prompted to enter their password. I suppose there could be additional checks and maybe even periodic poling from either the USB or the site.
Because the phishing site wouldn't have the correct key, it would fail and the user wouldn't even be asked for their password. Ideally, the user wouldn't have t do much more than carry their USB drive with them.
I suppose it should be easy for the owner to clone the USB key. It should also require some sort of master password to even authorize it to hand out keys. I imagine enterprises can lock them down to a key and a workstation, meaning that they can can only work in certain computers and certain computers will only accept one physical key.
I am sure this can be refined and monetized. Selling solutions to businesses and services would be nice. Recovery should be possible but difficult. I'm sure it can be layered with additional features. It should probably be optional, and not mandated by law for the general population and for personal computing - but available for them.
I'm sure there are ways one can think of to get by it but it does seem like it'd be a good place to start. It also doesn't seem like it'd be technologically difficult to accomplish, or even necessarily expensive.
Personally I wouldn't trust most sites to implement complex auth mechanisms. On balance, I personally feel much more secure by OAuthing with a few big tech companies.
It seems like U2F fits most of your criteria: open and free, standardized and easy to implement, foils phishing, etc. It can't be easily cloned though.
This is exactly the kind of 2fa that I've envisioned in the past (not being familiar with U2F), with the exception that I think the ideal solution will be a U2F device that doesn't require a power source. A special kind of NFC chip. May already exist (not sure how feasible it is), but I'm not aware if it does.
The Yubikey Neo and at least one other U2F capable device support U2F over both USB (for laptops) and NFC (for use in Chrome on Android). The authenticator is not internally powered.
That looks like a good starting point. Does the site exchange tokens with the USB key, so that the device also confirms the site is who they should be?
My thinking is that the site should have a custom token to exchange with the device and the device should have a custom token to exchange per site.
I'd also love to see it easily replicated and free for the user to put on their own devices. People are going to lose them, in droves. They'd be password protected, of course. I guess you could make them delete their data if there are too many mistaken password attempts, as well as make it destroy the data if used in an unapproved computer - things like that. I figure they can layer different features atop it, depending on how much security is needed.
U2F has a per-site key. The browser acts as an intermediary between the site and USB authenticator.
My simplified understanding is that it works like this:
The first step is registration of the authenticator with the site. The site sends a registration request to the authenticator. The authenticator generates a new key pair. It encrypts the private key with a symmetric key that never changes and never can be extracted from the authenticator. Then it sends a registration response to the site, which includes BOTH the public key and the encrypted private key. The site is responsible for keeping the keys.
Then you are ready to authenticate. The site sends a challenge request to the authenticator which is unique and probably has an expiration time. Inside the challenge is the encrypted private key. The authenticator uses the never changing symmetric key to decrypt the private key, sign the challenge, and return it to the site. Then the site checks the signature against the public key on file.
The key benefit here is that the browser will not allow a site to send a challenge which is not for it's own domain. Which means there is no way a phishing site can MITM the 2FA process. Even if they get a challenge from the real site, the browser won't let them present it to the authenticator to sign. As opposed to TOTP where the OTPs can be easily phished and used within the time window they are valid.
I hope this purported initiative will be accessible to all users, not just to those on a whitelist. As it currently stands, I can use a security key as my second factor, but I can also receive a text message, which defeats the whole point of the key. I would love to see an option to not use SMS as my second factor.
You're right. You have to set up SMS to set up other types of 2FA, but you can remove your phone number afterwards. I think Google just doesn't want less experienced users getting locked out.
This is broken, because you absolutely know Google will keep your phone # around and linked to your account, even after deleting it from the UI. No U2F for me, cause Google has to know my phone #.. except I don't have a phone, cause I'm deaf.
Being deaf doesn't preclude you from having a phone, especially a smart phone, which has plenty of applications that do not require sound and many of which actually have accessibility features for the deaf.
They are the same, but the article said "His Gmail messages were hacked" rather than "Podesta was hacked". The former implies (or could be interpreted as implying) that Gmail itself was breached, which is not true in this case.
Is 2fa that big of a deal to a dedicated attacker who gets the victim to enter their info into a phishing page? (Just thinking of passcode-style 2fa, not usb key 2fa.) The attacker just has to forward the victim's login info to a login page, and then if the attacker gets a 2fa prompt, they prompt the victim with a 2fa prompt and then forward the victim's answer immediately.
I understand a lot of attackers don't bother since there's plenty of easier victims without 2fa, but if they're targeting a specific individual, it's not that much more work to make their attack work on 2fa too.
The CIA's missions for the past 60 years have been overthrowing random governments and imposing dictatorships just for fun (with the results almost always backfiring massively on the US) and spreading ridiculous propaganda. Their lies and interference made the Middle East the mess it is today. If they're trustworthy, so is Charles Manson.
Really? Despite their motivations to distort reality and after all the incompetence they displayed over the decades, you still consider CIA a credible source? You're not even reading their internal reports, these are just some leaks and statements to the press.
What does Ukrainian separatists (who, yes, enjoy Russian backing) mistakenly shooting down a passenger plane have to do with Russians supposedly hacking the DNC? It's like saying the US must be making it up because look at the pictures of Abu Ghraib.
You are not supposed to believe everything CIA says is true. The most basic application of 'Critical reading' and evaluation of their past statements disproves that.
If you want to 'believe in' CIA (as opposed to the 'hostile state'), what you should believe is that whatever CIA tells you to believe is beneficial to you and the States, regardless of if it is true.
Now of course you might be thinking, are you and the States really millions of Afghan, Iraqi, Libyan and Syrian lives more safe?
We just recently ended a war that was started because of that sort of thinking. It even involved that same government agency. You might even say we are still dealing with the horrific aftermath from that war, caused by that same sort of thinking, done by that same group of people...
I hope they add U2F support to their desktop (Windows/macOS) applications (Drive File Stream, Backup & Sync, etc).
Having U2F only should be amazing but it sure sucks when you have to add less secure methods to sign in on the desktop :/.
Additionally, for G Suite organizations, locking anyone but enterprise users out from requiring U2F for their users (or an OU) is a bit of a kick in the pants when that’s the only feature you desire (a security one at that!) and going from Business to Enterprise is most likely a hefty price hike.
Techmeme summary: Sources: Google to launch Advanced Protection Program marketed at high-profile users that replaces 2-factor auth with physical keys, blocks all third party apps
If you make a product that just requires them to plug it in to access their email then yes they'll use it. It's about usability and people would understand the key unlocking their email.
Email is used as a privilege escalation path to pwn almost every other service we use. And we're finding that 2FA isn't the ultimate answer — OTPs are easy to phish, SMS can be socially engineered around without much difficulty, etc. As the value of digital data keeps going up, the sophistication of hacking groups and governments has gone up as well.
A highly secure browser connecting to an account with limited API access using a physical token is an excellent step. I'll buy it myself if it isn't obscenely expensive.