UPDATE (October 8, 2021): It was just announced that Google will be giving free security keys to 10,000 particularly at risk Google users. Excellent to see this important step being taken!
– – –
It’s obvious that the security of SMS mobile text messaging as the primary means for 2-factor account authentications is fatally flawed. The theoretical problems are nothing new, but the dramatic rise in successful attacks demonstrates that the cellular carriers are basically inept at protecting their subscribers from SIM hijacking and other schemes (sometimes enabled by crooked insiders within the carrier firms themselves) that undermine the security of these systems.
While other 2-factor mechanisms exist, including authentication apps of various sorts, text messaging remains dominant. The reason why is obvious — pretty much everyone has a cell phone already in hand. Nothing else to buy or install.
The correct way to solve this problem is also well known – FIDO U2F security keys. Google has noted publicly that after transitioning their workforce to security keys from OTP (one-time password) systems, successful phishing attacks against Googlers dropped to zero.
Impressive. Most impressive.
But in the world at large, there’s a major problem with this approach, as I discussed recently in: “Prediction: Unless Security Keys Are Free, Most Users Won’t Use Them” (https://lauren.vortex.com/2018/08/02/prediction-unless-security-keys-are-free-most-users-wont-use-them).
I have also previously noted the difficulties in convincing users to activate 2-factor authentication in the first place: “How to ‘Bribe’ Our Way to Better Account Security” (https://lauren.vortex.com/2018/02/11/how-to-bribe-our-way-to-better-account-security).
Essentially, most users won’t use 2-factor unless there are strong and obvious incentives to do so, because most of them don’t believe that THEY will ever be hacked — until they are! And they’re unlikely to use security keys if they have to buy them as an extra cost item.
Google is one of the few firms with the resources to really change this for the better.
Google should consider giving away security keys to their users for free.
The devil is in the details of course. This effort would likely need to be limited to one free key per user, and perhaps could be limited initially to users subscribing to Google’s “Google One” service (https://one.google.com/about). Please see today’s comments for some discussion related to providing users with multiple keys.
Mechanisms to minimize exploitation (e.g. resale abuse) would also likely need to be established.
Ultimately, the goals would be to provide real incentives to all Google users to activate 2-factor protections, and to get security keys into their hands as expeditiously as is practical.
Perhaps other firms could also join into such an effort — a single security key can be employed by a user to independently authenticate at multiple firms and sites.
It’s a given that there would indeed be significant expenses to Google and other firms in such an undertaking. But unless we find some way to break users out of the box of failed security represented especially by text messaging authentication systems, we’re going to see ever more dramatic, preventable security disasters, of a kind that are already drawing the attentions of regulators and politicians around the world.
–Lauren–
Cost is a factor, and remember you should always have at least two Fido keys registered for your account leaving one in a safe place for when you lose your primary one. Reduces the problems associated with getting into your account when you have to replace a lost one.
You’re correct that having multiple keys is the preferred case, but I don’t think that more than one free key is necessarily practical. Perhaps more to the point, I doubt that most ordinary users would currently be willing to operate in “key only” mode (e.g. Google’s “Advanced Protection Program” and the like). For now, the idea would be to get at least one key to as many users as possible, and to help these users become comfortable using the keys as their main credentials authentication tools.
Google also has to work with other vendors to enable key authentication.
I just bought a key to try out. It doesn’t work with Apple Mail: I have to read mail using Chrome only. Not going to happen. Now, if the key would work with Apple Mail (MacOS and iOS), I’d use one all the time.
There’s something of a “chicken and egg” problem of course. Some firms may currently be unwilling or reluctant to put sufficient resources into supporting good security — like security keys — because there aren’t (relatively) many keys in the hands of ordinary consumers yet. That’s why Google stepping up to the plate could make such a positive difference in this regard going forward.
I have been watching the 2FA matter for at least two years. I have longingly looked at Yubikey Neo because I use an Android phone. Every time I look at Yubikey I don’t get a warm and fuzzy. When I search for user experience articles I keep encountering such like the following…
https://shkspr.mobi/blog/2017/11/a-grumpy-look-at-using-a-yubico-neo-nfc-on-ubuntu-android/
And two keys at $50.00 each is a bit steep without some rock solid guarantees.
Just my $0.02 (Thanks for letting me rant.)
We’re really in the relatively early stages of this tech. It’s going to take some time to evolve, but it is very important to get this ball rolling now.