- So maybe I'm just getting a lot more paranoid
as I get older
or maybe it's because my kids
are now old enough to use phones
or maybe it's because we can't go a day
without hearing about some website getting hacked.
But I've been thinking a lot more
about online security lately
and basically how it's kind of backwards and broken
for so many people.
But I was really intrigued by this headline recently.
It said out of Googles 85 thousand some-odd employees,
not a single one had been phished.
Their accounts had not been compromised
since they moved to using these.
Physical hardware security keys.
So their accounts are safe.
I want my account to be safe.
I want my kids accounts to be safe.
So I went down a pretty deep rabbit hole.
I've turned on Google's advanced protection program
for my person Google account
and that's Google's strongest consumer level system
that requires these hardware keys to work.
So what are they?
What can they do?
How do you use them?
Hang on, we're gonna have to get in the weeds
just a little bit here.
We're gonna talk about hardware keys,
we're gonna talk about advanced protection,
and we're gonna talk about Google's brand new Titan key.
Yeah, we're gonna nerd out a little.
Here we go.
(playful music)
All right, first things first,
Let's talk about what the hell I'm talking about.
So look, we all know passwords, okay,
and we all know that we should be using
strong unique passwords.
We all know that we should be using password managers
for those strong unique passwords
and if you're not doing that already, go do it.
I'll wait.
All right, good, you're back.
And we all also know about two-factor authentication.
That's a second password after your password
but here's the thing,
it's possible for someone to hijack your text messages.
It's possible for them to get into your phone account.
It's possible for them to intercept
the one-time passwords you get via an authenticator app.
This isn't necessarily tinfoil hat stuff
I'm talking about, okay.
I mean yeah, if you're a target,
it's a lot more likely that someone's gonna try to fish you
because that's spearfishing
but it's also possible that you could just blunder
across a bad link that somebody sent you
or you just didn't know it
and that's why this stuff is also important.
And so, more secure than text messages
and authenticator apps are these physical hardware keys.
So what are they?
Look they're little USB sticks.
They look like thumb drives, yeah.
And the way it works is this.
You take your key and you stick it in the computer
and you register it
with whatever service it is you're using,
Twitter and Facebook are two.
Dropbox is another really good one.
Google, obviously.
Not every website and service out there uses them.
I really wish they did.
There's a good website to use twofactorauth.org.
They have a huge database telling you
what forms of two-factor authentication websites use
and whether or not they take hardware keys.
So I use my password,
I stick this in the computer,
I give it a little tap and that's it.
I'm logged in.
Now there are several kinds
of these physical hardware keys, okay.
There's this normal little USB type
which is nice and easy and small,
you can keep it on a keychain if you want
or stash one in a drawer or a safety deposit box or wherever
as a backup.
That's not a bad idea but remember
the more these you have laying around
with your credentials on them
the more it's possible for
somebody to get a hold of it, right?
Trade-offs.
Phil what about my phone?
Well, okay, you have keys, little USB keys
that also have NFC chips in them
or you have these larger fobs that have to be charged
but they have little Bluetooth radios in them
and those work, as well.
In fact, they work with the iPhone
which doesn't have wide open NFC until iOS 12 comes out.
Really, when it comes to the keys themselves,
there's, kind of, no one right way to do it.
Fewer is obviously more secure
but you're gonna have to figure out what works best for you.
So also, hardware keys are faster, actually,
and when I really got to using them it made total sense.
So instead of waiting for a text message to come in
and then me copying that over
and then pasting it into a website,
I stick this in, I tap it, I'm done.
Same goes for the authenticator apps,
exactly the same deal.
Now what about this Titan key
that you've been hearing about?
Yes, it's all nerdy and sounds Titan key.
That's a great name for it.
It's actually named after
part of what Google uses on its enterprise servers
for security stuff
and really all it is
is a physical hardware key,
only it's controlled by Google from start to finish.
Google controls the hardware,
Google controls the firmware,
and that's really all it is.
It's the same kind of physical key
you would get from, say Yubico,
only it has Google's name behind it.
These are now on sale from Google directly
in the Google store
and for 50 bucks you get a Bluetooth fob
that'll work with pretty much everything,
including the iPhone,
and you get a slick looking USB key
that also has NFC built in.
Now one quick note on that,
at launch, the NFC
is not actually working with Android phones.
They have to do a behind-the-scenes update on that
so I'm not quite sure when it's gonna happen
but it is coming.
But let's stick with Google for a second.
So if you're really
worried about keeping your Google account secure,
there's what's called Google Advanced Protection Program
and here's how Google explains that.
- [Instructor] But if you're an activist,
journalist,
thought-leader,
business executive,
or other public figure,
or anyone who feels vulnerable
to highly targeted online attacks,
you might need a different level of security
to keep your data safe.
That's where the Advanced Protection Program comes in.
It's Google's strongest account security.
- So here's how I explain it.
Once you turn advanced protection on,
the only way to get into your Google account
is to first, have the password
and second, have one of the physical hardware keys
attached to your account.
No more text messages.
No more authentication codes.
No more using a second trusted device, like a phone,
to login.
You have to use a physical key.
And by the way, Google also makes it harder,
once you turn this on,
for somebody to use the account recovery process
to actually get into your account.
It includes you, by the way.
So this will, kind of, break some stuff initially.
When you first turn on advanced protection
it logs you out of every single device you're in
because now you have to log back into it
using a hardware key.
It means every phone, every computer,
every third-party app
that you might have used Google to log into,
you're now logged out
and that means you can't use third-party email apps.
I use Mailplane and Shift on my Mac.
You can't actually log into your Google account
from the Mac.
You can't use Apple's mail apps anymore.
And the one really weird one,
and I think this is just broken,
I can't even use my NVIDIA shield TV box.
I can't log in with my Google account on that.
Whoops.
And that actually brings us to the question,
do you really need Google's advanced protection?
I'm thinking for the vast majority of us out there, no.
You have different options, anyway,
when you log into Google accounts, right?
You can use a hardware key and not use text messages
or not use authenticator apps.
Advanced protection really just takes things
to the next level where you have to have the password
and you have to have a physical key
and you can only use a physical key to login.
And I'm willing to bet that Google's
also doing some other stuff in the background
to keep an eye on things.
So if you really think you're a target,
if you're a journalist or a politician or whatever,
then yeah, it would be a really good idea.
For the rest of us,
probably gonna be a little more of a headache than you need.
All right, that was a lot.
I get it.
Let's recap.
You gotta have a good strong password, right?
You got to use a password manager.
You gotta use a password manager.
You have to use two-factor authentication of some kind.
Text messages are okay.
Authenticator apps are okay.
Physical hardware keys are better,
much, much better.
And remember, Google isn't the only company out there
to use these things, okay?
There's a whole website, twofactorauth.org
where you can look up services
that use hardware keys for two-factor authentication.
And Chrome isn't the only browser out there that uses it.
Firefox does and Microsoft just announced
that it's finally bringing support, as well.
Safari.
Well, Apple's gonna Apple.
And finally, grab yourself a key to use, okay?
Maybe it's one of these really simple USB keys
and that's it,
maybe you want one with NFC
so you can use it with your phone,
maybe you want one with Bluetooth if you have an iPhone
and that's the best way to go.
I can't tell you which way is gonna be best for you.
You're gonna have to figure that out on your own
a little bit
but use it.
Get a hardware key.
Register it with these services
and sleep a little better at night.
So that's it on hardware keys and Google advanced protection
and the new Titan key.
Again, I've got links down below for all this stuff,
if we went a little fast.
And I've got a link down below
for that talk from Christian Brand of Google
at the Google cloud conference.
I tell you, it really opened my eyes to all this
and made it make even more sense
even as I was using it.
Really good, it's worth your time.
So go get a key.
If you got any more questions,
ask them down below in the comments.
That's it, see you next.
(playful music)
Không có nhận xét nào:
Đăng nhận xét