back to article Google puts Chrome credentials on USB drives for two-factor authentication

Google has announced support for a platform which will allow users to log into applications by pressing a button on a secured USB drive. The company announced that it will add support for the Security Key platform into Google applications on Chrome. The decision brings two-factor authentication to0 Google's apps. Security Key …

  1. Anonymous Coward
    Anonymous Coward

    Wait for it, the screaming...

    as the spooks will undoubtedly raise the FUD factor to "Absurd" in an attempt to derail the oncoming horde of personal privacy assurrance.

    The issue: they created this situation in the first place. If they would have reined themselves in, their desire to reach anywhere and everywhere they could because they could, they wouldn't be in this oncoming position. They, the government spooks, triggered "The George Orwell Factor", the fear of Big Brother, and now they are trying to control their self-induced damage of the general public attempting to assure their own personal privacy.

    Oops.

    The battle lines are being drawn as we watch: how much can private individuals and industry do to give the customer what they (now, finally) want, better privacy, vs the government's desire to keep their hands in the cookie jar. The spooks will yell, "Think of the children!", and the public will yell back "For every stupid 'children' fear comment, god kills a kitten!", and many of us will break out the popcorn as our 'duly elected' politicians attempt a land-grab on a power base of data. And don't think that this isn't ultimately [your] politician's fault: they created the laws and they are the ones not rewriting the laws to stop the data abuse.

    But we'll vote them back in anyway.

    Ah, the humanity.

  2. JeffyPoooh
    Pint

    Oh, so now...

    Oh, so now IT security is improved with USB ports?

    I told them it wasn't a good idea to fill the USB sockets with epoxy.

  3. Anonymous Coward
    Black Helicopters

    BadUSB

    Given the NSA's Tailored Access Operation's ability to inject itself into the logistics chain, how exactly are you going to be certain of the provenance of that stick? Next, how secure will it remain as you go from device to device? Tinfoil hat perhaps, but I don't have any concerns in that direction. I signed that away long ago. You likely did not.

    1. hazzamon

      Re: BadUSB

      These security keys aren't flash drives. They are just secure ICs. Yubico's models, for instance, have non-upgradable read-only firmware so are not susceptible to BadUSB.

      1. Anonymous Coward
        Anonymous Coward

        Re: BadUSB

        These security keys aren't flash drives. They are just secure ICs. Yubico's models, for instance, have non-upgradable read-only firmware so are not susceptible to BadUSB.

        Yes and no. You can still mess with its configuration, so there is a way in which may prove a problem. That's not to say it IS a problem, but I sure hope they locked it down well.

        Having said that, the signs themselves are good - the Yubikey is mature enough to have a track record, and it's quite solid. Google's, not so much.

        There is, however, another challenge. Not every system has a USB slot, so I guess we're now talking about a device, which will have an NFC chat with my smartphone, which then talks to whatever online resource I use. Thank God for baggy pants..

    2. Velv
      Flame

      Re: BadUSB

      I think you need to go away and do a bit more sensible research before you post wide conspiracy theories about what will happen.

      While it's not entirely impossible the NSA or other security service might be able to "inject" or otherwise compromise some of these secure physical keys, the safeguards and checksums make it highly unlikely.

      Start by reading up on Yubico, their manufacturing plant in a forest in Sweden, and the processes surrounding the securing of each transaction. Not perfect, but doing multiples of the right things in security layers to prevent tampering.

      And (almost) anything is better than a single password entered on a web page...

    3. JeffyPoooh

      Re: BadUSB

      The 'BadUSB' title distracted from an otherwise very good point on being "...certain of the provenance of that stick...".

      Borrow a target's car keys (e.g. valet parking) and swap their FIDO 2FA thingy with a Trojan horse look-alike USB stick filled to the brim with zero-day exploits, then at least you can be assured that they'll bring it to work and stick it straight into their PC first thing in the morning. No more relying on human nature and scattering USB sticks around the parking lot.

      1. Robert Helpmann??
        Childcatcher

        Re: BadUSB

        Borrow a target's car keys (e.g. valet parking) and swap their FIDO 2FA thingy...

        Good point. I am not sure I understand the rationale of requiring a plug-in device rather than a randomly generated string. There are devices that do not require any communication with or through the device being used to access the web page (e.g. RSA SecurID). They can still be defeated, but I would think they are less vulnerable to attack than the method described in the article and are more widely usable.

  4. Anonymous Coward
    Holmes

    Kind of nice

    The new keys are cross platform - Win, Max, Linux.

    1. getHandle

      Re: Kind of nice

      What's the betting that you'll still have to wait for Windows to "install" the device every time before you can use it...

      1. Velv

        Re: Kind of nice

        My Yubikey on Windows 8.1 is pretty much instant. It's only a keyboard after all, it just "keys" a 40 character one time string for you.

  5. Buzzword

    Malware

    This is no protection against a malware-infected computer though.

    Banks (in the UK at least) have a better system. They issue a device which generates one-time tokens which you type into the computer. The twist is that when you make a payment to a new recipient, the last four digits of the challenge code must must match the last four digits of the recipient's bank account number. Thus your one-time-code is only valid for a specific transaction, not for any transaction; and crooks can't redirect the underlying website to send the money to their own accounts instead.

    Since this doesn't protect against malware, and HTTPS already protects against man-in-the-middle attacks, what exactly is this supposed to defend against?

    1. Jason 41

      Re: Malware

      But why oh why can the banks not tie that token into Verified by Visa etc?

      For me at least I wouldn't find the need to have my token around, to buy something online, a pain.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like