4

I'm looking at 2FA options for my Google account, and I noticed they now allow you to add a security key to your account. I'm a bit of a novice to infosec, but I'm struggling to see the benefit for me. My phone already covers the "something you have" component of account security.

The only thought I have is that a phisher could ask me to enter my 2FA code and use that to log in, and I might not notice. But I see no reason why a phisher couldn't ask me to tap the button on my security key, too.

Are there additional benefits to the security key that I'm not seeing?

Anders
  • 64,406
  • 24
  • 178
  • 215

1 Answers1

2

I'm assuming the security key you're referring to is a U2F security key.

U2F has several advantages over other 2FA schemes like OTP, one of the biggest improvements is to prevent the issue you point out. With most 2FA schemes a phisher could simply act as a proxy between you and the legitimate service, and obtain your password and 2FA code that way. U2F prevents this with the help of the browser.

Authentication works as follows: (somewhat simplified)

  1. The website sends a signature request
  2. The browser validates that the AppID in the signature request matches the visited domain (or that the domain is a trusted facet)
  3. The browser forwards the signature request to the U2F device
  4. The device uses the AppID and key handle to retrieve the private key, which it uses to sign the challenge
  5. The signature gets sent back to the browser, and on to the website to verify it

If a MitM simply acts as a simple proxy this will fail at step 2, as the domain won't match the AppID in the signature request. If the MitM filters the signature request and modifies the AppID to match the phishing domain, it will fail at step 4, as the AppID and key handle no longer specify a valid key.

Of course, the phisher already has your password at this point so you would need to change it, but at least they can't get into your account.

AndrolGenhald
  • 15,436
  • 5
  • 45
  • 50