1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Google's New 2 Step Auth.

Discussion in 'BlackHat Lounge' started by Apricot, Oct 22, 2014.

  1. Apricot

    Apricot Administrator Staff Member Moderator

    Joined:
    Mar 26, 2013
    Messages:
    13,509
    Likes Received:
    8,447
    Gender:
    Female
    Occupation:
    BHW Admin
    Location:
    Station 2E
    Home Page:
    http://googleonlinesecurity.blogspot.co.uk/2014/10/strengthening-2-step-verification-with.html


    I just bought one of these because I love new tech etc. Plus it'll be good for work instead of texting my phone every 30 days or when I login from somewhere else. I do like the concept and whether it is just a kind of fad or something that could change the way we secure our accounts, I think It's a brilliant move.

    Someone see something I don't in terms of vulnerability?


    You can buy the USB on Amazon (US and UK), got mine for £5.00.
     
  2. Dogex

    Dogex Newbie

    Joined:
    Mar 17, 2014
    Messages:
    35
    Likes Received:
    4
    I wouldn't do this, because I'm not so interested about giving my fingerprints out for this big company. I don't trust google at all anyways. But, hey. That's just my opinion.
     
  3. abhi007

    abhi007 Jr. VIP Jr. VIP

    Joined:
    Aug 31, 2010
    Messages:
    5,868
    Likes Received:
    3,947
    Location:
    Theatre of dreams :)
    I have the normal two step verification for like 2 years now...
     
  4. tb303

    tb303 Senior Member

    Joined:
    Dec 18, 2011
    Messages:
    849
    Likes Received:
    534
    Dont be so paranoid its capacitive touch not a finger print reader.
    What happens if you loose or damage the key though? Does it then fall back to standard "forgot my password" stuff? If so theres the vulnerability. Also if someone spoofs user agent to mobile they wont be asked for the key anyway.
    Cant be used by mobile or in many work places. Seems a bit of a fad to me.
     
  5. Apricot

    Apricot Administrator Staff Member Moderator

    Joined:
    Mar 26, 2013
    Messages:
    13,509
    Likes Received:
    8,447
    Gender:
    Female
    Occupation:
    BHW Admin
    Location:
    Station 2E
    Home Page:

    If the key is lost, no one else can use it and you just go back to normal 2 step. Apparently can't be spoofed either.
     
  6. safex

    safex Jr. VIP Jr. VIP

    Joined:
    Dec 28, 2009
    Messages:
    3,698
    Likes Received:
    550
    Occupation:
    Search Engine Optimization
    So a Electronic Master or a Micro-Chip Expert will be able to Build Same Signature Key..!!As It is easy to Build 1 USB with multi Code Hacking. Now Hacking a Google account is easy. Because Building Signature Chip is easy Thing.
     
  7. SocialMediaManager

    SocialMediaManager Elite Member

    Joined:
    Sep 20, 2012
    Messages:
    1,705
    Likes Received:
    747
    Occupation:
    Internet Marketing , Climbing
    Location:
    Dubai
    Good luck plugging a USB key into your iPad, or letting your security-sensitive workplace let you plug arbitrary USB keys into your workstation, or convincing your bank that you really did not send your entire balance to Nigeria, even though you signed that transaction with a tap, etc etc...

    Remember Mt.Gox? That's Yubico's most public failure so far :)

    Strong authentication needs to be out-of-band, and support transaction signing, and work everywhere, or there's no point using it. You can't get "out of band" with anything that you "plug in" - that's simply connecting it directly to the same threats.
     
    • Thanks Thanks x 1
  8. sturose

    sturose Jr. VIP Jr. VIP

    Joined:
    Nov 6, 2013
    Messages:
    1,808
    Likes Received:
    2,217
    Gender:
    Male
    Occupation:
    Self unemployed
    Location:
    Right behind you!
    Third comment on the blog:



    Are some people just too paranoid??

     
  9. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    12,591
    Likes Received:
    34,717
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    Deja Vu, I could swear I have read that before.

    [​IMG]
    http://googleonlinesecurity.blogspo...howComment=1413903286554#c3539073133029923080
     
    • Thanks Thanks x 1