Google Reportedly Plans Stronger Authentication OptionsExperts Welcome 'Advanced Protection Program' Involving Physical USB Keys
In response to nation-state attackers targeting its account users, Google reportedly is planning to offer stronger authentication to politicians, corporate executives and other at-risk individuals as part of a service called the Advanced Protection Program.
The program, Bloomberg reports, includes the use of a second USB security key, and it will block all third-party programs from accessing a user's emails or files on Google Drive.
Google, which is part of Alphabet Inc., didn't immediately respond to a request for comment.
The technology giant's reported security move follows last year's revelations that the Gmail account used by John Podesta, Hillary Clinton's 2016 campaign chairman, was hacked.
Some of Podesta's emails ended up being published on DCLeaks.com and on a WordPress site authored by Guccifer 2.0 - a persona that U.S. intelligence agencies believe was concocted by Russian intelligence. WikiLeaks later received the emails and published them as well (see Tainted Leaks: Researchers Unravel Cyber-Espionage Attacks).
Security researchers say Podesta did not appear to be using any two-factor or multi-factor authentication to protect his Gmail account. Google's two-step verification setting, for example, sends a one-time login code to a user via SMS or a voice call, or a user can tap the Google Authenticator app to generate the code.
But these additional log-in factors can be intercepted by attackers.
"SMS is the weakest and not considered secure, especially for high profile users," Chester Wisniewski, principal research scientist at British anti-virus firm Sophos, tells Information Security Media Group. "Time-based tokens like Google Authenticator are good, but can be phished. Google also offers push notifications to Android users, which are reasonably secure, but nothing really beats a physical token."
Sean Sullivan, a security adviser at Finnish anti-virus firm F-Secure, tells ISMG that phishing attackers can send victims to sites that collect their Gmail login usernames and passwords, as well as their SMS codes or one-time tokens. Working quickly, attackers can log in to victims' accounts before the codes or tokens expire.
Google began warning users in 2012 whem it suspected their accounts were being targeted by state-sponsored actors. Later, Facebook and Twitter followed suit.
In 2014, Google announced that Gmail and its other services would be compatible with Security Key, which it describes as "a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google."
Earlier this year, Google added the ability for administrators to require Security Key to access the so-called G Suite, which bundles such apps as Gmail, Docs, Drive and Calendar.
By enforcing the use of the additional APP security key, an admin could have blocked the Podesta phishing attack from happening. "With the APP key in place, Podesta would not have been able to enter his credentials into the web form on his mobile device, as part of what's needed requires a PC and a supported browser," Sullivan says. "And if he was sitting at his PC, the [phishing] form he interacts with won't have the USB key on its end when trying to login to Google. If the browser actually communicating with Google doesn't see the physical key - no access. And no access means that you can't set up additional devices."
Two Keys: Better Than One?
Google's new Advanced Protection Program will build on the physical USB Security Key, and require a second, physical USB key, Bloomberg reports.
Devices that offer U2F - for universal 2nd factor - comply with an open authentication standard designed to integrate specialized USB and NFC devices. The standard is maintained by the FIDO Alliance, for "Fast IDentity Online," which promulgates interoperable authentication standards.
"The method Google endorses is called U2F and I have used it and think it is pretty darned good," Wisniewski says, noting that he's been a Yubikey user for about 10 years. "I am not a user of Google services, so I haven't used it with them very much, but I have used it with Facebook and other services and have studied the protocol enough to be quite confident in its design and implementation."
As searching for "U2F" on Amazon.com highlights, users have dozens of potential devices at multiple price points from which to choose.
The FIDO Alliance lists nine devices from five vendors that offer FIDO U2F:
- Bluink: Bluink Key
- Century Longmai Technology: mFIDO U2 token
- Hypersecu Information Systems: HyperFIDO Mini
- Vasco: DIGIPASS SecureClick
- Yubico: YubiKey 4, 4C, NEO, 4 Nano, FIDO U2F Security Key
Sullivan notes that the open hardware and software project called USB armory from Inverse Path - now part of F-Secure - is another MFA option.
Usability Versus Protection
Using a physical USB security key - or two - with Google or other services is a no-brainer for at-risk users, security experts say. In fact, many experts - including cybersecurity consultant Brian Honan, Cisco Talos Technical Leader Warren Mercer, and Chuck McAllister, endpoint security strategic adviser at CyberArk, tell ISMG that they have long used such devices, in some cases, to better secure access to their password manager.
I've been using Yubikey for a long time. They're great. Simple and integrates well with a lot.— Warren Mercer (@SecurityBeard) October 3, 2017
Using physical USB keys does, however, involve a usability tradeoff, but security experts argue that it is worth it. "Adoption of a standard like U2F by more users and websites is a good thing," Wisniewski at Sophos says. "Because there is a cost involved, people will always complain a bit. It isn't quite as convenient as just typing in 'monkey123.'"
Such keys work with a variety of sites. Yubico, for example, notes that its keys can be used to better secure logins to multiple operating systems, password managers, and services such as Salesforce.com and Dropbox, among other sites and services.
But not every site offers USB security key compatibility. Sullivan, for example, says that Facebook does not appear to support hardware-based TFA or MFA options for his current browser configuration, which is Firefox on Windows.
While Google and Facebook are among the more high-profile sites offering at least some U2F security key compatibility, Wisniewski says that ideally, every site would offer this capability, across all browsers and platforms. "It needs to reasonably ubiquitous to have the most impact," he says.