Google warns users about password-breaking onslaught

Daniel Puchert

Daniel Puchert

Journalist
Staff member
Joined
Mar 6, 2024
Messages
3,336
Reaction score
3,247
Warning to people using passwords on their Google and Microsoft accounts

Google has warned that most of its users are still relying on less secure methods to log into their accounts and encouraged them to adopt passkeys for better protection against cyberattacks.

Many people use their Google account or Gmail address as their primary login credentials for various online platforms and as a channel to retrieve or change passwords if they forget them.
 
Instead, they can just re-authenticate themselves using a fingerprint, facial scan, or a PIN on the device where they added the passkey.
Click to expand...
So I used my smart phone as it has a fingerprint reader to store the passkeys in a secure enclave (TPM)

Then my phone gets stolen/breaks.

How do get my account access back?
 
Moonlit8377 said:
Have multiple Yubikeys
And have one that you keep in storage when your regular one gets lost or stolen
Click to expand...
I think most people will just use their Smart Phone's secure enclave or Windows Hello TPM - unless you a corporate where the company will give you a Yubikey.

Q1. How does the security sync between the two Yubikeys?

Q2. Do I kneed to carry my Yubikey(s) around with my Smart Phone?
 
system32 said:
So I used my smart phone as it has a fingerprint reader to store the passkeys in a secure enclave (TPM)

Then my phone gets stolen/breaks.

How do get my account access back?
Click to expand...

You get a real phone that syncs your passkeys to other devices.

Then you can login on your tablet or your computer or your new phone.

The “device” in this case doesn’t need to be the actual hardware but rather the system that generated and keeps the passkey.

Since Google Chrome can generate passkeys I’m sure Google has figured this out as a standard by now to sync across devices?
 
SauRoNZA said:
What makes a passkey different to a USB security key?

It’s quite literally the same thing tied to a hardware device.
Click to expand...
so what is the solution? tie everything to a fingerprint/retina scan? drop of blood?
would be strange trying to get a drop of blood to sign in to gmail though.
 
Jet-Fighter7700 said:
so what is the solution? tie everything to a fingerprint/retina scan? drop of blood?
would be strange trying to get a drop of blood to sign in to gmail though.
Click to expand...

Ultimately it’s all about multi-layers.

I can’t comment on how it works on Android but in Apple land you create your Passkey with iCloud keychain and you authenticate it with TouchID or FaceID.

Even if you use it in Google Chrome tied to your Google Account you still need to verify with FaceID or TouchID.

Point is that everything is on device and it’s not much different to touching your finger to the Yubikey.

Main difference is that there is no password involved at all.

My company was entirely Yubikey first, we have now been passwordless for the last few years. Far more granularity and can’t be stolen etc.
 
system32 said:
I think most people will just use their Smart Phone's secure enclave or Windows Hello TPM - unless you a corporate where the company will give you a Yubikey.

Q1. How does the security sync between the two Yubikeys?

Q2. Do I kneed to carry my Yubikey(s) around with my Smart Phone?
Click to expand...
Q1: You'd need to manage both of them manually, so if you add one Yubikey to Gmail (for example) you'd need to add the other one as well (not all services allow you to add multiple FIDO2 keys, so in these cases I would add Google Authenticator/Microsoft Authenticator as 2FA).

Q2: Your primary one yes, if you intend on using the key as your primary login or you can use it as your 2FA method (after you type in your password).
 
system32 said:
I think most people will just use their Smart Phone's secure enclave or Windows Hello TPM - unless you a corporate where the company will give you a Yubikey.

Q1. How does the security sync between the two Yubikeys?

Q2. Do I kneed to carry my Yubikey(s) around with my Smart Phone?
Click to expand...

We’ve completely dropped Yubikeys short of a few rare applications that require them mostly for not moving with the times.

Yubikeys are very much stand-alone devices you can’t really do all that much with and also massively expensive at scale.

Not to mention they have been compromised before.
 
Jet-Fighter7700 said:
so what is the solution? tie everything to a fingerprint/retina scan? drop of blood?
would be strange trying to get a drop of blood to sign in to gmail though.
Click to expand...

The solution is to have your 2FA sent to your phone through your banking app. So that the criminals, if they take your phone, can also authenticate all the transactions as they empty your bank accounts.

Or to have the Google or Microsoft Authenticator also on your phone. That way anyone who steals you stuff, can also authenticate there.

One has to be weary of the different scenarios though.

Google is no doubt warning about online phishing and keylogging.

In SA we have that and we also have the usual muggings, murder and rape.

Google with 2FA is already well secured. I don't know what other means of security would be necessary.

There are more complicated ways of improving security for banking using card readers, codes and credit cards which generate OTPs as well. But those should be reserved not for daily use.
 
Jet-Fighter7700 said:
I think we should be moving to physical USB security keys again,

problem is as @system32 alludes to, what if that gets stolen?
Click to expand...


I remember about 10 years ago working for a corporate. We had a software license (for expensive projection software used by insurance companies) that only worked if the physical USB was plugged into the server/desktop machine. We were paying about R500k per year for the license. One night there was some construction being done at the office and one of the workers stole the USB (probably thinking it was a regular USB device). Was a bit of chaos the next day with everyone trying to figure out what happened. Eventually they checked the cameras and got the guy. He returned the USB.
 
Forum Reader said:
I remember about 10 years ago working for a corporate. We had a software license that only worked if the physical USB was plugged into the server/desktop machine. We were paying about R500k per year for the license. One night there was some construction being done at the office and one of the workers stole the USB (probably thinking it was a regular USB device). Was a bit of chaos the next day with everyone trying to figure out what happened, Eventually they checked the cameras and got the guy. He returned the USB.
Click to expand...

That's a hardware dongle. Autocad and other professional products used to work with those. There were ways to hack those too and one could even find hacked versions of AutoCAD where the code to check for that was disabled.

Of course you couldn't run pirated software in the industry in case you were audited.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X