On top of that, the keys only work when both the phone and the bootstrapped device are in close proximity to each other. The phone-based keys-which comply with the recently introduced WebAuthn standard (more about that later)-work only when Bluetooth is enabled on both the phone and the device that's being bootstrapped. AdvertisementĮnlarge / A built-in security key in an iPhone (left) and a Pixel (right). Google says that APP provides additional safeguards but has never offered many details beyond that. APP, works with all Google apps as well as its Nest series of smart home services, but it restricts the third-party apps to all but a handful. Even then, Google may require a second factor again in the event that company employees see logins from suspicious IPs or other signs that the account has been, or is close to being, hijacked. Once a device is authenticated, it by default no longer needs the second authentication factor during subsequent logins.
(Google calls this process bootstrapping). Users must also use the keys when logging in from any new devices for the first time. Once the keys are enrolled, all devices that may be logged in to the account are automatically logged out and can only be logged back in using one of the keys as a second factor.
When first setting up APP, users must enroll two security keys such as those made by Yubico or Titan Security. APP combines the security of physical keys with a rigorous method for locking down an account. Think of APP as two-factor authentication (2FA) or multifactor authentication (MFA) on steroids.įurther Reading Thieves drain 2fa-protected bank accounts by abusing SS7 routing protocolA 2016 study of 50,000 Google employees over two years found that security keys beat out other forms of 2FA, both for security and reliability. Unless attackers steal the key-something that's not feasible remotely-they can't log in even if they obtain the target's password.
The cryptographic secrets stored on the physical keys required by APP can't be phished and-theoretically-can't be extracted even when someone gets physical access to a key or hacks the device it connects to. Although hackers have many ways to compromise accounts, phishing remains one of the most popular, both because it's easy and because the success rate is so high.ĪPP makes such attacks all but impossible. When Hillary Clinton's presidential campaign chairman John Podesta and other Democrats complied, they effectively surrendered their passwords to hackers. They warned, falsely, that the target's account password had been obtained by an outsider and should immediately be changed. Further Reading Russia-linked phishing campaign behind the DNC breach also hit Podesta, PowellThose attacks presented targets with convincing emails purportedly from Google.
0 kommentar(er)
