Google adopts the use of 2FA USB key company-wide.
Google’s move is right for their business, but…
In a prior post, I poked a little fun at Google’s expense. In fairness to Google, I recognize here a subsequent news item clarifying “Google’s 85,000 employees avoid successful phishing attempts with a $20 USB security key”. The operative is “successful” phishing, missing from the prior news release. That word refers to those cases where a phishing attack results in bad actor access to secure accounts. Google’s action does little to eliminate phishing attacks but does reduce successful phishing attacks. They did so by adopting the use of a USB security key, providing all employees and contractors with a Yubikey. Each day the Google employee plugs their Yubkey into their business computer and then carry on with their activities. When accessing a secure account, they press the Yubkey button to produce a one-time passcode thus establishing they are who they claim to be, kind of. Addition of a PIN can reduce the possibility of someone other than the Yubkey assignee pressing the button. Huh?
Lets review, Google employees use passwords to secure their accounts. That didn’t work out well, so a One Time Passcode was added to the mix as a second factor. Whoops, that is not good as the OTP can be intercepted by a bot, so use of a USB security key to generate an encrypted OTP at the push of a button is the fix. Darn, anyone can push that button, so a PIN requirement is added to ensure the button is pushed only by the person the USB key belongs too. And whoever else may have the PIN. Does any of this make sense?
I digress. In spite of perceived failings, this is an improvement over Google Authenticator as it does suggest there is a human at the keyboard, but fails to affirm which if any. I have some additional reservations. I question its use on a practical basis and point out that Google employees remain susceptible to phishing attacks, that some of those have the potential of penetrating the defenses and reaching secure resources and thus, the potential of becoming a “successful” phishing attack remains.
Additionally, I find my having to pay $ to prove I am who I claim to be is just a bit offensive. That said, I’m still curious as to applicability and benefit of using a USB security key. To shake that out, I went to the website to purchase the $20 phishing attack fix. What I found was a $20 USB key that fails to meet my needs. But, on the same page, I find other USB keys that appear to do so and of course not for the $20 Google suggests. Indeed they are considerably more expensive.
How did that happen? I’m glad you asked.
As it turns out, the $20 key supports USB-A only and as such is a non-starter for me. I have a USB-C laptop at the office, a smartphone with NFC and USB-C, a USB-A laptop and iPad with no USB at home. I use all to access my various secure accounts. So, a USB-A only solution will not work. Picking from the others offered I select one costing $45 to use on my USB-A laptop and smartphone over NFC and the other a $50 gadget that works on my USB-C laptop. Guess I’ll have to scrap used of my iPad. An attractive solution, I think not.
Despite the ridiculous cost, the idea of the USB security key intrigues me, until I think through its use from a practical point of view. USB keys need to be registered at all accounts to be secured by their use. For me, that is a huge pain. Of course, each USB security key is necessarily unique. So, having multiple keys means having to register each key individually with each account. This is unacceptable on multiple levels not the least of which is the registration time required. It would also be a nuisance fishing out the right key for the device I’m about to use. On a more basic level, I loathe having to duplicate my personal identification information on each keyed account. I’ve come to hate divulging my PII data to those I don’t know and have no reason to trust. And, each duplicate increases my PII data footprint thereby increasing the risk of being harvested when the someone I’ve no reason to trust is hacked.
In the end, I conclude the Google USB key panacea for preventing most, not all, successful phishing attacks is too expensive, too onerous, requiring too much PII disclosure and too much of a risk for me. Hope this perspective helps you when considering the use of USB security keys.