68 comments

[ 3.4 ms ] story [ 115 ms ] thread
Highly misleading headline (EDIT: Title has now been changed). From the article:

> including One Time Passwords (OTP)via SMS phone messages

That "SMS" bit is critical. OTP over SMS sucks. OTP using the same app that already manages my passwords (1Password) is a breeze. Sure, if I had a U2F Security Key already plugged in, then it would probably be even faster, but the downside is I need to have a physical key plugged in, and if I don't have that key with me then I'm screwed (whereas with 1Password I can get at my OTP codes from any of my devices).

There's always going to be a trade off between security, usability, and price. Physical keys are clearly more secure, but also come with increased price and some usability issues (e.g. if you don't have your key you're screwed). But as Google's research demonstrated, there are also usability issues with SMS OTP (3% avg failure rate vs 0% avg failure rate with keys).

Net-net, it depends on how sensitive the data is that your are protecting, and whether you prefer increased security or ease of use.

Given that NIST now explicitly says you shouldn't use SMS for 2FA, I'm not sure why we're even trying to compare U2F to SMS OTP. It's just not a useful comparison at all. Any company that is even considering supporting U2F should already be offering non-SMS-based OTP anyway.
For the vast majority of users who are not the targets of government attacks, SMS OTP is still a huge win for account security. Alex Stamos put it well:

https://twitter.com/jonoberheide/status/804363754842554375 "Nothing < SMS < Push < U2F"

https://twitter.com/alexstamos/status/804367695860744192 "Seems like the right ordering, but when deployment is 98% < 2% < .5% < .01% complaining about SMS security is pretty silly."

State actors aren't the only ones threatening the security of SMS OTP.
SMS-based 2FA doesn't stop phishing, which is a significant security benefit of U2F.
The security of these is actually somewhat DUE TO the low adoption rates. If all of my consumer services have SMS 2FA, attackers will currently just move on to the next account in their list. It's similar to the spam game: it doesn't have to be perfect, just enough to make it not economically viable to spend the time required to crack it. Once everyone has SMS 2FA, I'll move on to push or U2F and be ahead for another decade or so. It's just important that people are given an option, so lazy / don't know any better consumers can do the easy thing and get their accounts stolen, while people who actually care / know enough to know they should care can stay somewhat safer. The unbalance is unfortunate, but until we figure out a way to ACTUALLY secure things which companies will get onboard with (related: the US uses chip cards now...but still only requires a signature facepalm) staying one or two steps ahead of the general population makes you pretty safe against everything except targeted attacks.
OK...but Google and my bank still use OTP over SMS to two-factor authenticate me. So clearly there's room for discussion and evangelism here. NIST can say that pigs fly, but until I see it in the wild I'm going to take it with a grain of salt.
Just so you know, you can also use Google Authenticator if you really dislike SMS. Make sure to back up those emergency keys though, and read about encrypting your iTunes backups so it'll actually back up the GA settings.
Even better is to buy a Yubikey, for those services that already support U2F use that. For those that do not, use the Yubico Authenticator and your Yubikey over NFC. You care one key around and no secrets are ever on your phone.
If the bank doesn't support RFC 6238 OTP, Google Authenticator will not help.
I have a Yubikey Nano in each of my computers, that are registered with everything that supports U2F (currently only Google and Github). I also have a Yubikey Neo that's on my keychain. Between all of these, I never have any U2F problems.

Except my iPhone, which can't get OTP codes over NFC like Android phones can. So actually I have Google Authenticator for TOTP codes.

You must not be using the new macbooks...
What's preventing USB-C Yubikeys? So you need an adapter right now...
Apparently, lack of market demand [0].

As for adapters: they significantly increase the profile of the yubikey nano, which I feel is a dealbreaker in that particular case, as the main selling point of the nano (to me, at least) is the always-plugged-in capability (see the image on the far right in [1]).

[0] https://www.yubico.com/2016/07/yubikey-route-usb-c/

[1] https://www.yubico.com/products/yubikey-hardware/yubikey4/

Agreed! The best part about my Yubikey Nano is that I don't know its there and don't have to be careful about knocking it off. Invisible security is the best security. :)
The Yubikey nano is ridiculous with an adapter.
I guess Yubico is working on a Bluetooth-based key for that use case (as well as phones).

https://www.yubico.com/products/yubikey-for-mobile/

But yeah, I use a Surface Pro and a Chromebook Pixel. The Surface is annoying in that it only has one USB port, my Yubikey Nano is actually on the dock and I use the portable key otherwise. The Chromebook Pixel is fine, two USB-C ports, two USB A ports.

Keeping your password and your OTP generator in 1Password is not TWO-factor-authentication (2FA). Since you only need your master password to get both. https://blog.agilebits.com/2015/01/26/totp-for-1password-use... (See the "Second Factor? No." bit).

In the case where you need true second factor authentication, it needs to be another factor (i.e. device). This is a good place to have a Fido U2F key.

In my experience, it takes about the same amount of time to use the key vs. using the OTP token from 1password (assuming you keep your key on you).

With 1password you have to have both the password database (one factor) and the password to unlock it. (another) It's not traditional 2FA but it fits pretty close. (a thing you have and a thing you know)
Even so, there are other benefits, such as your TOTP key never being sent over the network (unlike your generated password).
You also need to have the password database. Having the master password alone is not sufficient, and having the password database is not sufficient. And of course the master password never gets transmitted over the network, so it's harder to get. If your threat model is an attacker that's compromised your specific computer (as opposed to a network attacker) then yeah, having the OTP code in your password manager isn't 2FA. But if your threat model is a networked attacker, or alternatively, is the remote site being compromised and your password leaked, then having OTP in your password manager is effectively 2FA because the attacker doesn't have either your password database (a thing you have) or your master password (a thing you know), they just have your site password.

So really it comes down to what your threat model is and what risk profile you're willing to accept for a given site. For me, all I really care about is TOTP and not having "real" 2FA. But of course if you're talking about something like an AWS account that controls access to your company's data, it's probably worth investing in a YubiKey or similar.

Or even better: google accounts with the Google Authenticator on your phone, then require a Duo push auth. ML with some hard rules for when to require a second or third factor, like "always" when it's an admin account.
If all the factors are on the same box, it's just one factor.
The main concern for people using TOTP from a password vault is attacks against the websites they are visiting, not compromise of their password vault.

So no, the two factors are not on the same box being attacked, in the threat modes of interest.

For the threat of "my stuff was stolen" then both factors are in the same box, so even having a separate piece of hardware is no use (unless you can convince the thief to not take everything and please leave the authenticator dongle behind).

> The main concern for people using TOTP from a password vault is attacks against the websites they are visiting, not compromise of their password vault.

Well, if they gain access to your machine, they can't access your iphone. Or yubikey. Just don't kid yourself—you use the same password for everything, and that's your only factor.

No, it by absolutely no means whatsoever is 2FA, no matter how you slice it.

Regardless of where your password database is, the attacker only needs to compromise 1 password on the website to access your account. It doesn't matter how they got that password, your physical devices are irrelevant.

With 2FA, the attacker would also need access to the secondary device that has the secondary authentication, whether that be a phone, RSA key, FIDO key, etc.

1Password is not "real" or "fake" 2FA, it's straight up not 2FA at all and doesn't claim to be. It's fine to not want 2FA if you don't handle high-risk data (though that's increasingly rare these days in reality), but lets not conflate the term =P

> Regardless of where your password database is, the attacker only needs to compromise 1 password on the website to access your account.

What are you talking about? The whole point of TOTP is if the attacker compromises your password, they still can't log in because they don't have the TOTP code.

Phishing is a top threat to users and enterprises both. OTPs, whether from SMS or not, can be easily phished as well as passwords, while U2F cannot. So the answer seems fairly clear.
OTPs must be phished and then used very rapidly. The ROI for a successful phishing is much lower: a database of old OTPs is much less useful. (I'm sure you could use that to break the secret, but it's definitely not storing the secret.)
True, but not difficult.
Only if you are using TOTP. If you're configured to use HOTP, then that phished credential is much more valuable.
No offense, but uh... please read the article?

You quoted: including One Time Passwords (OTP)via SMS phone messages

The sentence that phrase is lifted from: U2F is an alternative to other forms of two factor authentication (2FA) including One Time Passwords (OTP)via SMS phone messages.

So you either deliberately or carelessly misquoted. What's more, I quote:

> Additionally, Google's research found that with OTP based authentication there was an average failure rate of three percent. In contrast, with the U2F Security Key approach, Google experienced zero authentication failures. The improved efficiency of using Security Keys instead of OTP is estimated by Google's support organization to have saved the company thousands of hours per year.

And further:

> "While any 2-SV mechanism is better than having only a password on your account, FIDO U2F provides strong authentication that's resistant to many forms of advanced phishing attacks that traditional 2-SV doesn't protect against," Brand said. "It also provides for a much better user experience."

So no. The headline is not misleading and in fact your hot take and comparison to 1Pass is a misunderstanding.

For people curious what these keys look like in the wild, by far the most famous brand name most people in our space would see is Yubico, which you can see here: https://www.yubico.com/products/yubikey-hardware/fido-u2f-se...

You _can_ integrate this approach into your product, into your AWS environment, into your Azure environment, or into your linux servers. And it works, and it can be self-hosted if that is a priority for you.

Oh, and if you'd like to try the best of ALL THREE WORLDs, LastPass directly supports Yubikey FIDO keys. And also lacks 30s of impromptu vault animations and supports touchid. They're working on facial recognition for Windows as a 3rd factor as well, I'm told. That'll be great.

I did read the article, and if you have to say "no offense", then it's because you're giving offense. The bit you quoted is literally what I quoted, just with more (irrelevant) words quoted at the beginning, so I don't know why you're even accusing me of misquoting anything.

The real problem here is the fact that the title of this post was edited multiple times, and now bears very little resemblance to what my comment was responding to. The original title alleged that Google said FIDO U2F Security Keys were better than OTP, without any mention of the fact that the article was only comparing it to SMS-based OTP and therefore the headline was inaccurate because OTP does not mean SMS-based OTP, and I expect (well, I hope) that most commenters here don't even use SMS OTP but instead use TOTP with an app.

In any case, I did edit my comment to mention that the title has changed, so the fact that you're saying I'm wrong immediately after accusing me of not reading something is pretty hypocritical.

Partial quoting an article to the go on to disagree with the core premise and good security will net you no sympathy from me.

But the burden is on you to update it make it clear what you're referring to. If you think that this is truly unfair then I apologize for only reading your post and the linked article and not the entire historical context.

But I think even without that, you went on to make a point counter the article using article text as if it was a valid counterpoint is wrong.

Partial quoting? I quoted the relevant bit. I may as well accuse you of partial quoting too since you "only" quoted one sentence and not the surrounding sentences.

> But the burden is on you to update it make it clear what you're referring to.

Not when I can't edit the comment anymore. When I edited my comment to say the title has been changed, the title had just been changed to say "SMS OTP" instead of "OTP", so it was still (I thought) clear what my comment was about. By the time I saw the post had had its more dramatic title change, my comment was past the edit period.

And yes, I do think it's unfair that you're accusing me of misquoting and writing an incorrect comment, when my comment was perfectly correct when written, and when it's impossible for me to "fix" it later (not to mention I didn't even know the title had been edited again until I saw your comment).

> But I think even without that, you went on to make a point counter the article using article text as if it was a valid counterpoint is wrong.

I did not use the article text as if it was a counterpoint. I used the article text to illustrate that the article was talking specifically about SMS OTP, and that the article did not even attempt to address non-SMS-based TOTP. And then gave my own opinion, which is that non-SMS-based TOTP is much better than SMS OTP and has some benefits as compared to a physical U2F device. Since the article didn't even address non-SMS-based TOTP, it can't be a point either for or against that opinion, but what it could be was context.

The primary problems with OTPs include input error and expiration windows. These are not fixed by making them push notifications. Further, there are many platforms where push is not an option or were SMS vs Push would not make a difference.

So no. Absolutely not. SMS is an additional problem, but OTPs in general suffer from logistic issues separate from their medium.

TOTP doesn't use Push.
The medium of delivery is not the problem here. In fact, most stuff I've read suggests TOTP had an even higher fail rate than push or SMS OTP.
The comparison is to "One Time Passwords (OTP)via SMS phone messages."

Given the vulnerabilities in GSM, that's not a high bar. http://security.stackexchange.com/questions/11493/

The even more relevant comparison is to TOTP. Many places support 2Fa over TOTP, far viewer support 2Fa over U2F.

The big problem with TOTP is that real time attacks can still get you when you get MITM.

Edit: I now understand you were talking about the article, not the technology itself

Also totp hardware tokens suck (get out of sync) and totp smartphone apps suck because Android phones are so insecure/malware ridden.
Updated the title to specify SMS OTP.
We reverted the title from “Google: FIDO keys more secure, easier to use, and more affordable than SMS OTP” to that of the article, since it appears to be neither misleading nor clickbait.

https://news.ycombinator.com/newsguidelines.html

I don't totally agree with this title change. Of course FIDO security keys improve security. What is interesting about this article and the research conducted is the comparative effectiveness of FIDO keys versus the much more widely deployed mechanism of SMS OTP.
It only says "including" SMS OTP. If the study is based on Google internal use, it probably also includes Google's OTP app.
So is Yubikey and implementation of this standard or a competitor?
Yubikey sells U2F keys, yes. They also have their own protocol that they first started with before U2F existed, but they have been part of U2F for a while.
Yubikeys support all the different standards. Together with the Yubico Authenticator App you can use TOTP, to replace your Google Authenticator. It supports HOTP but that is used less often. Yubico itself defined a something new that is just a addition to HOTP (HOTP + Identity) and some services implement this (for example, LastPass Password Manager).

In some ways they are in technical competition but the company is making money regardless because they just implement both.

Yea seems right, U2F keys are very sound security-wise. The biggest challenge I've found is the obvious: ease of use. It can be kinda clunky to need to pull out a key and plug it in to a USB port in order to log in to Github, for example.

That said, this is mitigated pretty well usually with the "thumbnail USB" style key (like Yubikey has) where you pretty much keep it plugged in all day and click it when you need to access something. Security is still maintained as we're mostly concerned about remote attackers, though still a good idea to pull the key out at the end of the day or if leaving the laptop for a considerable amount of time.

Physical ease of use will definitely be the trick for mass adoption. I recall seeing wireless U2F keys at some point?

The yubikey neo support NFC. Comparison here: https://www.yubico.com/products/yubikey-hardware/

(Edited my comment to correct a mistake)

Most yubikeys = only the Neo
The only one that supports it appears to be an outdated model that isn't undergoing the latest certifications and lacks other features (like ECC p384)
I was really disappointed when Yubikey 4 came out but did not have NFC. I really want to have a RSA 4096/ECC p384 smartcard with NFC and I really wanted to be able to do U2F over NFC.

I have some hope that a product like that is coming, I just don't know when.

My bad. There was at least another one that did NFC, but it must be a discontinued model and removed from the page since I last looked at it.
It would be nice if Google helped to fix the bug which causes Chromium to crash on *BSD when presented with a U2F auth req. (https://bugs.chromium.org/p/chromium/issues/detail?id=451248)

Ever since adopting a security key, I've had to set my user-agent to Firefox (to prevent the U2F auth attempt) and fall back to Google Authenticator for 2FA.

How can I use U2F for Windows sign-on? Windows 10 "Hello" stuff is apparently in the pipeline, but I need U2F domain authentication for Windows 7+.

Also curious if I can use a U2F for anything PGP-related, signing or encrypting regular stuff.

All this to save $20/piece!

> Also curious if I can use a U2F for anything PGP-related, signing or encrypting regular stuff.

You can! This works mostly out of the box if you enable it using the manager application (looks like newer models may have it on by default) and install the required gpg smartcard stuff.

https://www.yubico.com/support/knowledge-base/categories/art...

No I mean the one key that isn't listed on that page... the $18 FIDO U2F Security Key.

Thanks for pointing this info out though!

One thing that struck me while reading this announcement is that if Apple had gotten on board with this idea the latest MacBook Pro may have had a better reception. Imagine hardware specifically built into your laptop to facilitate FIDO U2F security keys. Whether that's a device like those offered by YubiKey or an NFC reader, making U2F available and simple to use would be a great thing. Maybe it could even replace GPG/PGP for common uses.

Then again, maybe the recent Bluetooth 5 announcement will be enough to drive adoption. Or possibly the next iPhone / Pixel could act as a U2F device. Maybe then we could get "normal" people to use real security instead of asking them what street they grew up on or what their mother's maiden name is.

That's great, but when I try to use a NFC FIDO U2F key with my Google account, it says "Security Keys are not support on your device." The same key on the same device works just fine on Github (running Chrome for Android).