Google's New 2 Step Auth.

Discussion in 'BlackHat Lounge' started by Apricot, Oct 22, 2014.

  1. Apricot

    Apricot Administrator Staff Member

    Joined:
    Mar 26, 2013
    Messages:
    14,136
    Likes Received:
    9,559
    Gender:
    Female
    Occupation:
    BHW Admin
    Location:
    Station 2E
    Home Page:
     
  2. Dogex

    Dogex Newbie

    Joined:
    Mar 17, 2014
    Messages:
    35
    Likes Received:
    4
    I wouldn't do this, because I'm not so interested about giving my fingerprints out for this big company. I don't trust google at all anyways. But, hey. That's just my opinion.
     
  3. TheVigilante

    TheVigilante Jr. VIP Jr. VIP

    Joined:
    Aug 31, 2010
    Messages:
    6,465
    Likes Received:
    4,281
    Location:
    Theatre of dreams :)
    I have the normal two step verification for like 2 years now...
     
  4. tb303

    tb303 Senior Member

    Joined:
    Dec 18, 2011
    Messages:
    953
    Likes Received:
    623
    Dont be so paranoid its capacitive touch not a finger print reader.
    What happens if you loose or damage the key though? Does it then fall back to standard "forgot my password" stuff? If so theres the vulnerability. Also if someone spoofs user agent to mobile they wont be asked for the key anyway.
    Cant be used by mobile or in many work places. Seems a bit of a fad to me.
     
  5. Apricot

    Apricot Administrator Staff Member

    Joined:
    Mar 26, 2013
    Messages:
    14,136
    Likes Received:
    9,559
    Gender:
    Female
    Occupation:
    BHW Admin
    Location:
    Station 2E
    Home Page:

    If the key is lost, no one else can use it and you just go back to normal 2 step. Apparently can't be spoofed either.
     
  6. safex

    safex Jr. VIP Jr. VIP

    Joined:
    Dec 28, 2009
    Messages:
    3,778
    Likes Received:
    567
    Occupation:
    Search Engine Optimization
    So a Electronic Master or a Micro-Chip Expert will be able to Build Same Signature Key..!!As It is easy to Build 1 USB with multi Code Hacking. Now Hacking a Google account is easy. Because Building Signature Chip is easy Thing.
     
  7. SocialMediaManager

    SocialMediaManager Elite Member

    Joined:
    Sep 20, 2012
    Messages:
    1,705
    Likes Received:
    749
    Occupation:
    Internet Marketing , Climbing
    Location:
    Dubai
    Good luck plugging a USB key into your iPad, or letting your security-sensitive workplace let you plug arbitrary USB keys into your workstation, or convincing your bank that you really did not send your entire balance to Nigeria, even though you signed that transaction with a tap, etc etc...

    Remember Mt.Gox? That's Yubico's most public failure so far :)

    Strong authentication needs to be out-of-band, and support transaction signing, and work everywhere, or there's no point using it. You can't get "out of band" with anything that you "plug in" - that's simply connecting it directly to the same threats.
     
    • Thanks Thanks x 1
  8. sturose

    sturose Elite Member

    Joined:
    Nov 6, 2013
    Messages:
    1,993
    Likes Received:
    2,479
    Gender:
    Male
    Third comment on the blog:



    Are some people just too paranoid??

     
  9. Asif WILSON Khan

    Asif WILSON Khan OG Blue Tick Exec VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    14,039
    Likes Received:
    38,822
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    Deja Vu, I could swear I have read that before.

    [​IMG]
    http://googleonlinesecurity.blogspo...howComment=1413903286554#c3539073133029923080
     
    • Thanks Thanks x 1