[ad_1]
Google has never seen any of its 85,000 employees hack its business accounts since the beginning of 2017, when it began requiring all employees to use physical security keys instead of passwords and unique codes. company declared to KrebsOnSecurity
A YubiKey security key manufactured by Yubico. The basic model presented here costs $ 20
Security keys are inexpensive USB devices that offer an alternative approach to two-factor authentication (2FA), forcing the user to connect to a website the password) and something that they have (for example, a mobile device).
A Google spokesman said that security keys are now the basis of all access to Google. security keys at Google, "said the spokesperson." Users may be asked to authenticate by using their security key for many different applications / reasons. It all depends on the sensitivity of the application and the risk of the user at that time. "
The basic idea of two-factor authentication is that even if thieves manage to phish or steal your password, they can not in your account unless they do not pirate or possess this second factor.
The most common forms of 2FA require that the user add a password with a unique code sent to his mobile device by SMS or application. , Google employees also relied on unique codes generated by a mobile application – Google Authenticator.
On the other hand, a security key implements a form of multifactor authentication known as Universal 2nd Factor (U2F) which allows the user to terminate the connection process simply by inserting the USB device and pressing a button on the device. The key works without the need for special software drivers
Once a device is registered for a specific website that supports security keys, the user no longer needs to enter his password on this site. account of another device, in which case it will ask the user to insert his key).
U2F is an emerging open source authentication standard, and as such only a handful of high-profile sites support it, including Dropbox, Facebook, Github (and of course the various Google services). Most major password managers also support U2F, including Dashlane, Keepass and LastPass. Duo Security [full disclosure: an advertiser on this site] can also be configured to work with U2F
With a bit of luck, other sites will soon begin to incorporate the Web Authentication API – also known as "WebAuthn" – a standard proposed by the World Wide Web Consortium in collaboration with the FIDO Alliance. The beauty of WebAuthn is that it eliminates the need for users to constantly type their passwords, eliminating the threat of common methods of password theft such as phishing and man-type attacks -in-the-middle
Currently, U2F is supported by Chrome, Mozilla Firefox and Opera . In Firefox and Quantum (the newer and faster version of Firefox), U2F is not enabled by default. To enable it, type "about: config" in the browser bar, type or paste "security.webauth.u2f" and double-click on the resulting entry to change the value of the preference to "false "to" true ".
Microsoft says that he expects to roll out updates from his flagship browser Edge to support U2F later this year. According to a recent article on 9to5Mac.com, Apple has not yet said when or if it will support the standard in its browser Safari
Probably the most popular manufacturer of Security Keys is Yubico, which sells a basic U2F key for $ 20 (it offers normal USB versions as well as those made for devices requiring USB-C connections, such as the latest Mac OS and # 39; Apple systems). Yubikey also sells more expensive U2F keys designed to work with mobile devices.
If a site you are visiting does not yet support WebAuthn, please consider strengthening your connection with another form of 2FA. Hundreds of sites now support multi-factor authentication. Twofactorauth.org probably maintains the most complete list of sites supporting 2FA, indexing each by type of site (email, game, finance, etc.) and the type of 2FA offered (SMS, phone call, software token, etc.). 19659004] In general, the use of SMS and automated phone calls to receive a one-time token is less secure than relying on a software token application such as Google Authenticator or Authy. Indeed, thieves can intercept this one-time code by prompting your mobile service provider to exchange the SIM card of your mobile device or to "transfer" your mobile number to another device. However, if the only 2FA options offered by a site you frequent are SMS and / or phone calls, it's always better than just trusting a password.
While we're talking about multi Regarding factor authentication, I should note that Google now offers an additional set of security measures for all its properties called Advanced Protection. Exactly how Google's advanced protection works (and the compromises involved in activation) will probably be the subject of another story here, but Wired.com recently released a decent account on this subject. Incidentally, this article includes a step-by-step guide on how to incorporate security keys into advanced protection.
I have been using Advanced Protection for several months now without major problems, although it has taken me a few tries to get it set up properly. A frustrating aspect of having it turned on is that it does not allow to use third-party email applications like Mozilla Thunderbird or Outlook. I found it frustrating because, as far as I know, there is no built-in solution in Gmail for encrypting PGP / OpenGPG emails, and some readers prefer to share tips in this way . Previously, I had used Thunderbird with a plugin called Enigmail to do it.
Tags: 2FA, Chrome, Dashlane, Dropbox, Duo Security, Edge, Facebook, FIDO Alliance, Firefox, Quantum Firefox, GitHub, Google Advanced Protection, Keepass, lastpass, microsoft, opera, safari, security keys, U2F, Web Authentication API, WebAuthn, World Wide Web Consortium, Yubikey
You can go to the end and leave a comment. Ping is currently not allowed.
Source link
