back to article Google tries putting an NFC ring on it: Bonking will keep you SAFE

Google has started testing NFC keyrings from one-time-pad makers Yubico, with a view to offering them to ordinary punters next summer as a secure way of accessing the Google cloud. The keyrings feature a USB interface and an embedded NFC tag, either of which can supply a one-time password securing connection. The technique is …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Anything that can be plugged in can get infected.....

    1. Ben Rose
      Megaphone

      Yes, of course...

      We had to put down 6 mice last week due to incurable infections.

      1. Black Rat

        Re: We had to put down 6 mice

        Did you not get the memo about keeping their balls clean?

  2. Anonymous Coward
    Anonymous Coward

    Flawed

    Good idea for a software-less solution. Just a shame it's for security from a company that no one wants to use anymore because they also give the NSA/GCHQ the keys too. The browser url will be tracked too.

    Not to mention the fact one may be a bit dubious about putting usb devices in their pc that come from companies that are elbow deep with those spooks.

    1. DaLo

      Re: Flawed

      I never realised there was such a big scandal with Yubico? I hadn't even heard of them until now.

      1. Evil Terran

        Re: Flawed

        DaLo, I'm guessing AC is talking about Google, completely missing the point that they don't have anything to do with the manufacture of these devices.

        Or maybe just ignoring that point so they can grind their favourite axe.

    2. CaptainHook

      Re: Flawed

      The browser url will be tracked too.

      *****

      Of course it will, but since it's a one time password it doesn't matter.

      Of course you are still vulnerable to being tapped by Man In The Middle attacks but thats not the fault of the key generator

      1. Tom 38

        Re: Flawed

        Of course you are still vulnerable to being tapped by Man In The Middle attacks but thats not the fault of the key generator

        Assuming they can perform a MITM attack on SSL, in which case it doesn't matter whether the user types in the 2nd factor, or it is read from a NFC chip or even assembled by firing photons from a massive space gun at your phone.

        1. Anonymous Coward
          Anonymous Coward

          Re: Flawed

          NSA compromises aside it still seems flawed.

          Today I've got a keyring device I can type a code into and it gives me a number to use for my bank.

          This device replaces my device and doesn't need a password. So, I imagine I have to type the password into the phone instead and the device passes a secure password too.

          I can't see the difference between that and having a program on the phone which generates the password (like the device in the article) and then I type my password in. What's the advantage of having the device separate once I don't type a password into it?

          It's true that phones can be compromised but if that happens the attacker could take my passwords, as they are passed to the phone and perpetrate whatever skulduggery they desire.

  3. cs94njw

    At last! A nice secure way to access online banking without, hopefully, having to remember a long random number.

    1. DrXym

      Two factor authentication is called such because you must supply two things to authenticate, e.g. something you know and something you own, such as a pin and a hard token.

      If you make it single factor by removing the requirement of one of those things then you weaken the security in different ways. So I don't see it likely that adding a NFC based token would mean they take away another form of authentication. Most likely you would have to supply both, if not to see your account balance then at least for operations which involve transferring money into or out of your account.

      1. Boothy

        Indeed.

        As someone who already uses 2 factor authentication with their bank, the token was added to the security, they don't remove the 'something you know' bit.

        As pointed out, for 2 factor, you need two separate types of information. The types being (genrally):

        * Something you know (passwords, secret question/answer, fixed pins etc.)

        * Something you have (tokens. pin generator eyc.)

        * Something you are (fingerprints, retinal scans etc.).

        You need at least one item from two of the above three options for it to be multi factor.

        So a username, password and a secret question is still single factor. As they are still all things you know.

  4. Cliff

    I'd use that

    I believe in 2FA, but it's a pain in the arse sometimes. If this makes it easier, maybe more people will use it, and things get a little safer.

  5. MartinBZM
    Angel

    I keep my passwords

    stored with the NSA.

    The only problem is that I do not have their Service Desk phone number to get them back ;-)

  6. Mookster
    Boffin

    So what makes you think it's an OTP

    https://sites.google.com/site/oauthgoog/gnubby

    1. Old Handle
      Facepalm

      Re: So what makes you think it's an OTP

      As best I can tell, Yubico is completely misusing the term. They're also using OTP to stand for One-Time-Password in some places, but they do directly say "one-time-pad" in others. Nothing about the description makes it sound like that's accurate at all.

  7. Boothy

    Industry Standard?

    Isn't it about time a proper standard was defined for multi factor authentication? Including APIs etc.

    Then once defined, and accepted, newer ISO standards and such for security, such as how banks, the government and other organisations do authentication and identification, could then be updated to insist they support this one standard.

    That way you could get one token, but it then works universally for anyone complying with the standard.

    Otherwise we are going to just end up with a pocket full of these, one for each service or set of services you use.

    This would also help get round the growing issue of being able to prove who you are, such as when applying for loans or a new passport etc. ("Please bring in 3 recent utility bills with your name and address on it", "erm, I do everything on line, I don't get bills in the post!")

  8. Anonymous Coward
    Anonymous Coward

    Provides a browser URL?

    Surely on an Android phone it could 'type' in the password the same as when you insert it in a computer as a USB device. Then it would actually be sort of convenient. Why would they have it providing a URL and unnecessarily difficult to use? This makes no sense at all.

    I don't always bring my keys with me when I leave the house and wouldn't want to have to, and I certainly don't want to have to keep them by my computer to log into my bank. What a pain. Maybe the "something I have" for two factor security could be something that I do have by my computer....like, say, my phone? No, that would be too obvious.

    Couldn't phones have (if they don't already) a private key built into them so they could be uniquely identified and thus be your security device instead of requiring something separate? Yeah, a phone can be compromised, but a security solution that isn't convenient to use won't get used, and therefore does nothing to improve security. Google could put the access to the security routine in some low level firmware that can't be touched and thus would be secure even on a compromised Android device.

This topic is closed for new posts.

Other stories you might like