Google will sell hardware keys to improve account security

Discussion in 'Frontpage news' started by Hilbert Hagedoorn, Jul 27, 2018.

  1. pokerapar88

    pokerapar88 Ancient Guru

    Likes Received:
    GTX 1080 Amp!
    I also think that biometric scanning is way more secure. Either a combination of face and fingerprint or iris and fingerprint is easily the best way to 2 factor authenticate yourself aside from a password.
  2. Krakkan

    Krakkan Member

    Likes Received:
    Nvidia GTX 980 Ti
    Sorry for this in advance :rolleyes:

    Fishing is really easy these days with authenticator apps, with valid certificates and everything, it's becoming more common and anyone can set it up.
    The fake sense of security many have to mobile apps is not good at all.
    SMS is tragically insecure and is not recommended at all, it's basically what regular unsecure HTTP is today.
    SMS can be spoofed, fished, intercepted and your number can even be changed to an attackers sim card, you name it SMS probably got it. Also remember your operator can see it in plain text aswell.

    Paypal is going secure soonish i think, it is kinda absurd they still use SMS, as are other services using it.
    The worst security of any more known service today has to be Netflix imo.
    Steam needs to sort out their crappy trade system that prevents them from becoming more secure, i don't see why they can't allow FIDO2\WebAuthn for login and keep their old system for trade. I mean, trade sites and basically every other service and competitor can do it but steam can't, then it's time to redo their trade system i think.
    A real Alice in wonderland moment is when it is claimed the steam app\authenticator is meant for trade, not account security. In my mind for there to be trade you must first have account security.
    Oh well i'm sure Steam will solve it and increase security as every other service, preventing it from being able to be completely taken over in like 2 minutes by a site like today.

    "Smart people" will point out the codes in authenticator apps are only valid for a couple of seconds, yes indeed but think bigger, once you are logged in do you need to use any codes every few seconds? No, attackers don't even bother with the app codes they just steal the entire session instead when you are already logged in to stuff!
    Paypal for sure is kinda pissing me off, so is Netflix that does not even have anything beside a old fashion username and password still.

    What is nice with FIDO U2F and FIDO 2\WebAuthn (Web Authentication) is that they are fishing proof, if a site is different to the real site it will get a code that simply won't work.

    Despite so many already having these Google keys and testing them, there is a lack of confirming if it is the old and proven U2F or the newer FIDO 2 the keys are using or both.
    While the keys are VERY similar to a certain vendor already selling them, so far i have not seen anything confirming it actually are them being the provider and the keys are just rebranded.
    Google does have it's very own security chip, actually called Titan that are used in servers and stuff, it would not be impossible for google to have also made their own chip for their security keys, the most we have is that it is not the Titan chip google uses for servers and stuff, that does not mean it is another brands chip in it's security keys tho.

    So far i like Yubikey Neo the most in terms of features, if only it had FIDO 2 also. What is nice is it can be used instead of authenticator apps (TOTP) for sites not supporting security keys yet and a bunch of other stuff, but then is also only as secure as those are.
    I like a key on my keychain way more then having everything lost from a phone incident, be it a drop, some kind of water accident etc. I rarely have my keys out but a phone is out regularly, even on tables and can be snatched, a phone is a way bigger target then keys that are most of the times left in your pocket or wallet and not out in the open like a phone.
    A key can be dropped, a key does not require a battery (unless Bluetooth) or network can always be used.

    I will be extremely interested in the Google's security keys if they are a contender to the Yubikey Neo in features, especially if they also have FIDO2 support on top of that.
    Then it would be revolutionary in terms of cost, if you get 2 keys, both a USB\NFC and a Bluetooth\NFC key for the price of 1 Yubikey Neo (ALWAYS have a backup!)
    Also Google want these things to be dirt cheap in the future like 2 dollars, so i think Google's key will only have support for U2F, or only FIDO2 or both but no other features like a Neo, but it is very nice with NFC (Bluetooth for Apple users).
    I think Apple has NFC too on their phones, but not opening it up to be used.. Maybe they will Whitelist Google's security keys, but they have not for others before so i think they will just tell users to use the Bluetooth key, then users loose USB that is very useful indeed and also get a battery to worry about.
  3. gregjet

    gregjet New Member

    Likes Received:
    Back to the Future. Our organization used this type of key in the late 70's and 80's for access to the mainframe. Plug in but contactless.
  4. Abomlol

    Abomlol Member

    Likes Received:
    If you build it, fear monger it through subversive marketing, and sell it cheap...they will come.

    Just like VPNs being TOTALLY safe to traffic all your data through instead of huge public companies because "we don't log data."

Share This Page