1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Google's New 2 Step Auth.

Discussion in 'BlackHat Lounge' started by Apricot, Oct 22, 2014.

  1. Apricot

    Apricot Administrator Staff Member Moderator

    Joined:
    Mar 26, 2013
    Messages:
    11,963
    Likes Received:
    6,444
    Gender:
    Female
    Occupation:
    BHW Moderator
    Location:
    London
    Home Page:
    http://googleonlinesecurity.blogspot.co.uk/2014/10/strengthening-2-step-verification-with.html


    I just bought one of these because I love new tech etc. Plus it'll be good for work instead of texting my phone every 30 days or when I login from somewhere else. I do like the concept and whether it is just a kind of fad or something that could change the way we secure our accounts, I think It's a brilliant move.

    Someone see something I don't in terms of vulnerability?


    You can buy the USB on Amazon (US and UK), got mine for £5.00.
     
  2. Dogex

    Dogex Newbie

    Joined:
    Mar 17, 2014
    Messages:
    35
    Likes Received:
    4
    I wouldn't do this, because I'm not so interested about giving my fingerprints out for this big company. I don't trust google at all anyways. But, hey. That's just my opinion.
     
  3. abhi007

    abhi007 Jr. VIP Jr. VIP

    Joined:
    Aug 31, 2010
    Messages:
    5,300
    Likes Received:
    3,740
    Location:
    snip.li/TubH
    I have the normal two step verification for like 2 years now...
     
  4. tb303

    tb303 Power Member

    Joined:
    Dec 18, 2011
    Messages:
    601
    Likes Received:
    280
    Dont be so paranoid its capacitive touch not a finger print reader.
    What happens if you loose or damage the key though? Does it then fall back to standard "forgot my password" stuff? If so theres the vulnerability. Also if someone spoofs user agent to mobile they wont be asked for the key anyway.
    Cant be used by mobile or in many work places. Seems a bit of a fad to me.
     
  5. Apricot

    Apricot Administrator Staff Member Moderator

    Joined:
    Mar 26, 2013
    Messages:
    11,963
    Likes Received:
    6,444
    Gender:
    Female
    Occupation:
    BHW Moderator
    Location:
    London
    Home Page:

    If the key is lost, no one else can use it and you just go back to normal 2 step. Apparently can't be spoofed either.
     
  6. safex

    safex Jr. VIP Jr. VIP

    Joined:
    Dec 28, 2009
    Messages:
    3,433
    Likes Received:
    518
    Occupation:
    Search Engine Optimization
    Location:
    BLCVA.com
    Home Page:
    So a Electronic Master or a Micro-Chip Expert will be able to Build Same Signature Key..!!As It is easy to Build 1 USB with multi Code Hacking. Now Hacking a Google account is easy. Because Building Signature Chip is easy Thing.
     
  7. SocialMediaManager

    SocialMediaManager Elite Member

    Joined:
    Sep 20, 2012
    Messages:
    1,706
    Likes Received:
    746
    Occupation:
    Internet Marketing , Climbing
    Location:
    Dubai
    Good luck plugging a USB key into your iPad, or letting your security-sensitive workplace let you plug arbitrary USB keys into your workstation, or convincing your bank that you really did not send your entire balance to Nigeria, even though you signed that transaction with a tap, etc etc...

    Remember Mt.Gox? That's Yubico's most public failure so far :)

    Strong authentication needs to be out-of-band, and support transaction signing, and work everywhere, or there's no point using it. You can't get "out of band" with anything that you "plug in" - that's simply connecting it directly to the same threats.
     
    • Thanks Thanks x 1
  8. sturose

    sturose Power Member

    Joined:
    Nov 6, 2013
    Messages:
    758
    Likes Received:
    835
    Gender:
    Male
    Occupation:
    Freelance sex slave
    Location:
    Chained up in a dungeon
    Home Page:
    Third comment on the blog:



    Are some people just too paranoid??

     
  9. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Premium Member

    Joined:
    Nov 10, 2012
    Messages:
    10,115
    Likes Received:
    28,552
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    Deja Vu, I could swear I have read that before.

    [​IMG]
    http://googleonlinesecurity.blogspo...howComment=1413903286554#c3539073133029923080
     
    • Thanks Thanks x 1