UPDATE (October 8, 2021): It was just announced that Google will be giving free security keys to 10,000 particularly at risk Google users. Excellent to see this important step being taken!
– – –
It’s obvious that the security of SMS mobile text messaging as the primary means for 2-factor account authentications is fatally flawed. The theoretical problems are nothing new, but the dramatic rise in successful attacks demonstrates that the cellular carriers are basically inept at protecting their subscribers from SIM hijacking and other schemes (sometimes enabled by crooked insiders within the carrier firms themselves) that undermine the security of these systems.
While other 2-factor mechanisms exist, including authentication apps of various sorts, text messaging remains dominant. The reason why is obvious — pretty much everyone has a cell phone already in hand. Nothing else to buy or install.
The correct way to solve this problem is also well known – FIDO U2F security keys. Google has noted publicly that after transitioning their workforce to security keys from OTP (one-time password) systems, successful phishing attacks against Googlers dropped to zero.
Impressive. Most impressive.
But in the world at large, there’s a major problem with this approach, as I discussed recently in: “Prediction: Unless Security Keys Are Free, Most Users Won’t Use Them” (https://lauren.vortex.com/2018/08/02/prediction-unless-security-keys-are-free-most-users-wont-use-them).
I have also previously noted the difficulties in convincing users to activate 2-factor authentication in the first place: “How to ‘Bribe’ Our Way to Better Account Security” (https://lauren.vortex.com/2018/02/11/how-to-bribe-our-way-to-better-account-security).
Essentially, most users won’t use 2-factor unless there are strong and obvious incentives to do so, because most of them don’t believe that THEY will ever be hacked — until they are! And they’re unlikely to use security keys if they have to buy them as an extra cost item.
Google is one of the few firms with the resources to really change this for the better.
Google should consider giving away security keys to their users for free.
The devil is in the details of course. This effort would likely need to be limited to one free key per user, and perhaps could be limited initially to users subscribing to Google’s “Google One” service (https://one.google.com/about). Please see today’s comments for some discussion related to providing users with multiple keys.
Mechanisms to minimize exploitation (e.g. resale abuse) would also likely need to be established.
Ultimately, the goals would be to provide real incentives to all Google users to activate 2-factor protections, and to get security keys into their hands as expeditiously as is practical.
Perhaps other firms could also join into such an effort — a single security key can be employed by a user to independently authenticate at multiple firms and sites.
It’s a given that there would indeed be significant expenses to Google and other firms in such an undertaking. But unless we find some way to break users out of the box of failed security represented especially by text messaging authentication systems, we’re going to see ever more dramatic, preventable security disasters, of a kind that are already drawing the attentions of regulators and politicians around the world.
–Lauren–