Google now offers special security program for high-risk users
- Thread starter JournalBot
- Start date
So this is on top of the google authentication app that can be used to secure your google account? Do you still need Authenticator to work or is this key fob completely seperate?
Upvote
35
(35
/
0)
Being able to do 2FA with a hardware key isn't new, I've been using my Yubikey as my second factor on my Google accounts for quite a while now...
Upvote
66
(67
/
-1)
Does that mean you can only use the GSuite of products on a device with a USB port? If so, does that mean no Gmail on your smart phone?
Upvote
20
(22
/
-2)
Why is it that.....
You have to "opt-out" of privacy violating "features"
but
You have to "opt-in" to take advantage of security features?
You have to "opt-out" of privacy violating "features"
but
You have to "opt-in" to take advantage of security features?
Upvote
39
(58
/
-19)
While that is troubling, I agree in this case. There's nothing about my life that needs to be so secure that I need a physical fob to secure my e-mail. (Strangely, nobody wants to access the life e-mails of a teacher other than to try and find ways to steal my credit card information.)
Though I still agree with the sentiment.
Upvote
41
(43
/
-2)
This seems like it's only meaningfully more secure (for personal users) than a digital 2FA if you don't have a strong, random password protected by a password manager (which should really be the endpoint with a physical 2FA).
For example, I use a Yubikey with LastPass on all platforms, including my phone via NFC, and constantly reject Google's pleas to set up a recovery phone number (since SMS 2FA barely counts. Here's looking at you, PayPal.)
For the huge number of users that use easily hackable passwords or look-up-able "security questions" and 4-digit iPhone PINs, this could be helpful. But if you're already reasonably secure, you're not going to gain much IMO.
For example, I use a Yubikey with LastPass on all platforms, including my phone via NFC, and constantly reject Google's pleas to set up a recovery phone number (since SMS 2FA barely counts. Here's looking at you, PayPal.)
For the huge number of users that use easily hackable passwords or look-up-able "security questions" and 4-digit iPhone PINs, this could be helpful. But if you're already reasonably secure, you're not going to gain much IMO.
Upvote
-4
(9
/
-13)
True but this sounds as though Google is more involved in verification in the absence of the second factor, which is the real benefit. By severely limiting access and relying much more on whitelisting of apps deemed sufficiently secure, this can only be a good thing for folks most at risk.
Upvote
21
(21
/
0)
Depends, e.g. the Yubikey Neo has NFC so it can be used with most current smartphones (in theory, but I've never actually found anything that uses it).
The alternative (that Google already supports - I use this for emailing myself status reports from my NAS) is you can generate a single-device password from your account after you've authenticated properly (EDIT: on another machine that does support the key of course).
Upvote
17
(17
/
0)
I used to work IT for a call center that supported Google Play. All the Google employees had these things. They are USB fobs with a fingerprint reader built in. They used them to log on to their chrome boxes and to access Googles internal network.
They seemed like they worked ok.
They seemed like they worked ok.
Upvote
17
(18
/
-1)
Google recommends the Feitian MultiPass FIDO Security Key on Amazon...
"Currently unavailable. We don't know when or if this item will be back in stock"
"Currently unavailable. We don't know when or if this item will be back in stock"
Upvote
11
(12
/
-1)
Upvote
31
(37
/
-6)
Also, Android phones/tablets will work with e.g. Yubikeys via a USB OTG adapter.
Upvote
5
(5
/
0)
Look...you dont like the 2FA.... write your Congresscritter and get it repealed.....
/s
Upvote
-6
(7
/
-13)
And given Amazons inability to keep counterfeit goods out of their supply stream I don't think I'd recommend to anyone that they buy something as security critical as your 2FA token from them. I love Amazon, and have been a Prime members almost since the beginning of the program, but this is really their weakest point. I think it's pretty crappy of Google, who have security people that know better, to make the recommendation.
Upvote
18
(20
/
-2)
The Yubikey NEO works really great via NFC. At least one app that supports it is Keepass2Android, and it seems to work very smoothly.
Only thing that isn't perfect is that there's no need to press on the button while swiping the key for it to work (like you'd need to on USB, with press duration identifying the slot).
Upvote
8
(8
/
0)
Yeah - I'm confused. Hasn't google supported Yubikeys for years? Is this just a Google version of Yubikey-like authentication hardware?
Upvote
10
(10
/
0)
YubiKey NEOs can work with Yubico Authenticator over NFC. This is basically a drop in replacement for the Google Authenticator app, but where the stored secrets are on the key instead of on your phone. Unfortunately, Apple seems reluctant to allow anyone to actually use NFC for anything, so it's Android only.
Upvote
16
(16
/
0)
Looking around their page it looks like they require you to get two keys before you can activate it. A bluetooth key and a usb key.
They provide a couple of amazon links to help you out.
Wireless
USB
Kind of neat, but really more effort than I'm willing to put in for my google account. Maybe if I was important or something; like the people this program is targeting.
They provide a couple of amazon links to help you out.
Wireless
USB
Kind of neat, but really more effort than I'm willing to put in for my google account. Maybe if I was important or something; like the people this program is targeting.
Upvote
2
(2
/
0)
In fairness, I should add an important clarification to my earlier post:
While the "no need to press the button" thing may seem at first blush a bit less secure than the USB implementation (which does require pressing the button for anything to happen), the Yubikey can be configured in challenge-response mode (supported by Keepass2Android and Keepass desktop), in which case the challenge (an XML file that gets regenerated each time it has been used and is stored alongside the password safe file) is passed to the key via NFC and a reply is transmitted via NFC.
This means that the only thing somebody around you trying to activate the NFC on the key would get is a bunch of responses to the challenges they would need to send. Deriving the underlying key from this would be very difficult.
While the "no need to press the button" thing may seem at first blush a bit less secure than the USB implementation (which does require pressing the button for anything to happen), the Yubikey can be configured in challenge-response mode (supported by Keepass2Android and Keepass desktop), in which case the challenge (an XML file that gets regenerated each time it has been used and is stored alongside the password safe file) is passed to the key via NFC and a reply is transmitted via NFC.
This means that the only thing somebody around you trying to activate the NFC on the key would get is a bunch of responses to the challenges they would need to send. Deriving the underlying key from this would be very difficult.
Upvote
4
(4
/
0)
I hope Google follows this up with a strong and targeted advertising campaign. It has seemed to me over the years that (a good percentile) of peopled who need(ed) this type of security the most are the same ones least aware of its existance in the first place...
That aside, it is nice to see more of these security measures being offered for public consumption. I would hope that Microsoft follows up with something similar in the near future, if not for enterprise environments and sysadmins specifically. God only knows the list of internal security measures grows constantly - any approach with potential to effectively consolidate measures would be much appreciated. Like plugging in a 2FA USB key instead of, say, using keypass to pull a password to access CyberArk just to access a server...
That aside, it is nice to see more of these security measures being offered for public consumption. I would hope that Microsoft follows up with something similar in the near future, if not for enterprise environments and sysadmins specifically. God only knows the list of internal security measures grows constantly - any approach with potential to effectively consolidate measures would be much appreciated. Like plugging in a 2FA USB key instead of, say, using keypass to pull a password to access CyberArk just to access a server...
Upvote
4
(4
/
0)
Has anyone had luck finding a "Feitian MultiPass FIDO Security Key "? They seem to be sold out on Amazon.
Upvote
0
(0
/
0)
I'm not familiar with this model, but there are few things that makes me think a Yubikey would be better/safer (it's also supported by Google):
-Yubikey (even the NEO) are crazy well-built and simple. No battery, no complex electronics that might fail (or increase the attack surface), and able to survive for 3+ years now (and counting) in my pocket along with lots of keys rubbing against it, sweat, etc.
-Yubico is a reliable and trustworthy company out of Sweden, for something like this, I would definitely prefer to source from Sweden than China.
-Yubico provides a lot of software and API for a wide range of OSs and devices, whereas I'm not sure that's the case from Feitian.
-Yubikeys support a really wide range of standards and approaches. Not sure that's the case for these (seems like it's mostly U2F).
That said, I think I might order a Feitian ePass NFC to test it out and possibly as my backup if I like/trust it enough. It's only $17 vs. the $50 for the NEO. Like the NEO, it shares simplicity and looks well-built, and supports NFC.
Upvote
13
(13
/
0)
I have zero experience with the recommended Feitian product. I do have years of personal and professional experience with Yubico's product line.
Color me ignorant, but I have always been a little wary of Feitian as a solution because of where that company is located.
Does anyone have any experience regarding the Feitian line of products? Any high-level analysis of the companies compared to each other?
EDIT: thx aexcorp. That's been my exact line of thought. Would still be interested in others' personal experience with the company. I was a little surprised about Google's recommendation.
Color me ignorant, but I have always been a little wary of Feitian as a solution because of where that company is located.
Does anyone have any experience regarding the Feitian line of products? Any high-level analysis of the companies compared to each other?
EDIT: thx aexcorp. That's been my exact line of thought. Would still be interested in others' personal experience with the company. I was a little surprised about Google's recommendation.
Upvote
8
(8
/
0)
Yes that's great, but I have an iPhone with proprietary NFC technology. Maybe that's my first mistake lol. This is the only model that appears to work with the iPhone. I'd like to see how it works because it doesn't cost a whole lot.
Upvote
4
(4
/
0)
I just tried this on my primary gmail account.
First, it makes you register new hardware tokens instead of using the ones already on your account. Then I discovered that my iphone isn't going to support it. No big deal, I'll just wait until I can get some additional hardware.
But when I disabled the "Advanced Protection", it also _removed my existing multifactor U2F tokens_ that have been on the account for years and removed my google authenticator. So my account was unprotected by MFA for the first time in ages. Very disappointed that the security feature would revert security that badly when turned back off.
First, it makes you register new hardware tokens instead of using the ones already on your account. Then I discovered that my iphone isn't going to support it. No big deal, I'll just wait until I can get some additional hardware.
But when I disabled the "Advanced Protection", it also _removed my existing multifactor U2F tokens_ that have been on the account for years and removed my google authenticator. So my account was unprotected by MFA for the first time in ages. Very disappointed that the security feature would revert security that badly when turned back off.
Upvote
18
(19
/
-1)
If they weren't always out back smoking dope with the bad kids...
Upvote
3
(3
/
0)
That is pretty cool. The Google Authenticator is great, but nice to see other options.
Also on the impact to the election... blaming someone else because you got caught doing something you should not have done is your own fault and no one is to blame but yourself....
Be above approach and this will never be a problem....
Also on the impact to the election... blaming someone else because you got caught doing something you should not have done is your own fault and no one is to blame but yourself....
Be above approach and this will never be a problem....
Upvote
1
(1
/
0)
Your stupidity aside, actually, I'm pretty sure that Team Red was PWN3D as much by Team Russia as Team Blue was. Bad IT Security is a non-partisan problem.
I'm all for Team Red having better IT Security if that means I have better IT security. Hackers need to work much harder for their crap so we don't have to go out and buy LifeLock because hackers suck. And THAT is a bipartisan fact!
Upvote
13
(15
/
-2)
From what Google's support page shows, the Feitian keys aren't even available on Amazon in the US.
https://support.google.com/accounts/ans ... 96545&rd=1
Upvote
2
(2
/
0)
Security is only as strong as the weakest link, and for the truly paranoid or at risk, the weakest link that is out of their control is the account recovery (a.k.a. password reset) procedures of their service providers.
In other words, if all it takes to hack into your account is a little bit of research about you and a helpline phone call, then the sophistication of your daily authentication setup doesn't matter.
I want the ability to have my accounts recovery procedures depend solely on my ability to protect recovery keys, not gullible humans.
In other words, if all it takes to hack into your account is a little bit of research about you and a helpline phone call, then the sophistication of your daily authentication setup doesn't matter.
I want the ability to have my accounts recovery procedures depend solely on my ability to protect recovery keys, not gullible humans.
Upvote
7
(7
/
0)
No I didn't I was merely retorting the author who made the article title about Pondesta who has now changed the title.
Upvote
-8
(0
/
-8)
actually I have it enabled on all my accounts that offer it so jokes on you buddy.
Upvote
-10
(0
/
-10)
Upvote
8
(8
/
0)
- Status