Don't Forget your Keys, Dave
30th July, 2018 | Cyberprivacy | Entropic
Phishing, along with a host of other types of cyber attacks against their customers, has gradually forced many companies to introduce multi-factor authentication into their account sign-in process for their customers.
For an average consumer, multi-factor authentication has always been a relatively cumbersome process, which is why companies that develop these types of authentication products have invested a lot to make them less cumbersome and more user friendly, without compromising on the quality of their devices and the security of their users.
Google, as an example currently supports several options as part of their 2-Step Verification feature, including the use of an Authenticator app, such as Google Authenticator and third party security keys, which allow you to sign-in to Google by plugging the key into your notebook/PC, or placing it near your mobile device.
Historically, Google has relied on third parties to develop the actual security keys, and has worked with Yubico and NXP Semiconductors to develop protocols such as U2F used by consumer-friendly security keys such as the YubiKey, which have also been successfully deployed to Google employees to help secure their accounts.
As part of a new initiative, last week Google introduced their Titan key to their G-Suite customers, and soon plan to make it available to all of their customers via the Google store.
Yubico have responded to Google's decision, which indicates in politically correct tones that they don't believe that Bluetooth LE is secure, user friendly, or power friendly enough to make the grade for a seamless, user-friendly security key. In addition, they have stated that their security keys will continue to be manufactured in Europe and the US, implying perhaps that this will not be the case with the Titan key.
More holistically however, this event might be where the beliefs of a privacy-conscious, regulation-fearing European security company, differ from a company that depends on monetizing peoples personal information.
Some possible motivations for Google to have their own security key might include:
- Being able to provide a security key to it's customers that works across their devices - PCs, notebooks, tablets, and smartphones - some of which may not yet have NFC capabilities.
- The need to have more control over the design of their security keys, to quickly combat the ever-changing nature of cyber attacks that target their customers.
- Extending the sensory reach of their information collection in the Internet of Things to scenarios where the user has physically left their smartphone.
With regards to the last point, consider your physical location as tracked by your smartphone, and how valuable this is to companies like Google who, for instance use it to provide you with critical information on traffic congestion in Google Maps. Now consider the times when you are away from your smartphone. That is, you only have your keys, but not your smartphone - perhaps this is often, perhaps never.
The problem is that everyone has differing behaviors - Google doesn't know yet. But by offering their own Bluetooth LE enabled security key which follows you around with your house/car keys, they can potentially resolve this void in their understanding of your physical activity - when you are away from your smartphone. This Bluetooth LE enabled security key would be empowered to report back harvested information to your smartphone from within a range of ~330ft (~100m), vs. the relatively passive ~4in (~10cm) range of mainstream NFC security keys. Being able to tap into this information from this distance of your smartphone, can yield new insights that can help them significantly improve the granularity of their services.
Extending their sensory-reach deeper into the Internet of Things by enticing users into using well refined and convenient smart devices appears to be the continuing theme for Google, and the decision to introduce their own security key aligns.
As far as improving the security of the Internet of Things, there are some challenging questions about how useful Blockchain technologies will be to improve the security and privacy of intelligent devices in the future. This is discussed in more detail in this article originally posted on CoinCentral.com.
If you have any feedback, questions, or suggestions, please let us know.
Acknowledgements:
Photo by Luis Alfonso Orellana on Unsplash.