20180724 - 【评】_这种独立的电子钥匙估计很快会被集成在智能手表和智能手机里，但与 SI - GooglePlus

【评】

这种独立的电子钥匙估计很快会被集成在智能手表和智能手机里，但与 SIM 卡完全分离。

如果再集成支付功能，就完美了。

而这两项功能，如果不考虑指纹认证，甚至不需要电池就能用。

【转】

https://news.cnblogs.com/n/602562/

谷歌全员用上了物理密匙，从此没人被"钓鱼"攻击

　　7 月 24 日消息，据 CNET 报道，事实证明，谷歌帮助员工对抗网络“钓鱼”攻击的关键就在于物理密匙。知名网络安全网站 Krebs on Security 在最新安全报告中称，自从 2017 年初开始使用基于 USB 的物理安全密钥以来，谷歌 8.5 万名员工的工作账户从未遭受过钓鱼攻击。

　　密钥可以替代两步身份验证，即用户首先使用密码登录网站，然后必须输入额外的一次性密码，这些密码通常通过文本或应用程序发送到手机上。谷歌的一名代表称，安全密钥用于公司的所有账户访问。

　　这名代表说：“自从在谷歌执行安全密钥以来，我们从未收到账号被劫持的报告。由于许多不同的应用或原因，用户可能会被要求使用他们的安全密钥进行身份验证。这一切都取决于应用程序的敏感性和用户当时面临的风险。”

　　谷歌没有立即置评。但 Krebs on Security 报道称，在 2017 年之前，谷歌员工使用 Google Authenticator 应用生成的一次性代码，而安全密钥（零售价只有 20 美元）使用名为 Universal 2nd Factor 的多步认证。

　　Universal 2nd Factor 让用户通过插入 USB 设备和按下按钮登录。当设备连接到某个站点后，用户就不再需要输入密码了。

　　据 Krebs on Security 统计，越来越多的网站采用 Universal 2nd Factor 认证，但目前只有一小部分网站支持它，如 Dropbox、Facebook 和 Github。包括 Chrome、Firefox 和 Opera 等浏览器都支持它。据报道，微软将在今年晚些时候更新 Edge 浏览器，以支持 Universal 2nd Factor。

https://krebsonsecurity.com/2018/07/google-security-keys-neutered-employee-phishing/

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity.

A YubiKey Security Key made by Yubico. The basic model featured here retails for $20.

Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device).

A Google spokesperson said Security Keys now form the basis of all account access at Google.

“We have had no reported or confirmed account takeovers since implementing security keys at Google,” the spokesperson said. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”

The basic idea behind two-factor authentication is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor.

The most common forms of 2FA require the user to supplement a password with a one-time code sent to their mobile device via text message or an app. Indeed, prior to 2017 Google employees also relied on one-time codes generated by a mobile app — Google Authenticator.

In contrast, a Security Key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers.

Once a device is enrolled for a specific Web site that supports Security Keys, the user no longer needs to enter their password at that site (unless they try to access the same account from a different device, in which case it will ask the user to insert their key).

U2F is an emerging open source authentication standard, and as such only a handful of high-profile sites currently support it, including Dropbox, Facebook, Github (and of course Google’s various services). Most major password managers also now support U2F, including Dashlane, Keepass and LastPass. Duo Security [full disclosure: an advertiser on this site] also can be set up to work with U2F.

With any luck, more sites soon will begin incorporating the Web Authentication API — also known as “WebAuthn” — a standard put forth by the World Wide Web Consortium in collaboration with the FIDO Alliance.

Currently, U2F is supported by Chrome, Mozilla Firefox, and Opera. In both Firefox and Quantum (the newer, faster version of Firefox), U2F is not enabled by default. To turn it on, type “about:config” in the browser bar, type or paste “security.webauth.u2f” and double-click the resulting entry to change the preference’s value from “false” to “true.”

Microsoft says it expects to roll out updates to its flagship Edge browser to support U2F later this year. According to a recent article at 9to5Mac.com, Apple has not yet said when or if it will support the standard in its Safari browser.

Probably the most popular maker of Security Keys is Yubico, which sells a basic U2F key for $20 (it offers regular USB versions as well as those made for devices that require USB-C connections, such as Apple’s newer Mac OS systems). Yubikey also sells more expensive U2F keys designed to work with mobile devices.

If a site you frequent does not yet support WebAuthn, please consider hardening your login with another form of 2FA. Hundreds of sites now support multi-factor authentication. http://Twofactorauth.org maintains probably the most comprehensive list of which sites support 2FA, indexing each by type of site (email, gaming, finance, etc) and the type of 2FA offered (SMS, phone call, software token, etc.).

In general, using SMS and automated phone calls to receive a one-time token is less secure than relying on a software token app like Google Authenticator or Authy. That’s because thieves can intercept that one-time code by tricking your mobile provider into either swapping your mobile device’s SIM card or “porting” your mobile number to a different device. However, if the only 2FA options offered by a site you frequent are SMS and/or phone calls, it is still better than simply relying on a password.

While we’re on the subject of multi-factor authentication, I should note that Google now offers an extra set of security measures for all of its properties called Advanced Protection. Exactly how Google’s Advanced Protection works (and the trade-offs involved in turning it on) will likely be the subject of another story here, but http://Wired.com recently published a decent rundown about it. Incidentally, this article includes a step-by-step guide on how to incorporate Security Keys into Advanced Protection.

I have been using Advanced Protection for several months now without any major issues, although it did take me a few tries to get it set up correctly. One frustrating aspect of having it turned on is that it does not allow one to use third-party email applications like Mozilla’s Thunderbird or Outlook. I found this frustrating because as far as I can tell there is no integrated solution in Gmail for PGP/OpenGPG email message encryption, and some readers prefer to share news tips this way. Previously, I had used Thunderbird along with a plugin called Enigmail to do that.