Mobile Security Neglected as Google Integrates U2F Authentication

10/29/2014 / 0 Comments

As reported by Krebs on Security earlier this month, Google has integrated the Universal 2nd Factor (U2F) standard, allowing a physical USB component to be used as a second authentication factor when logging into Gmail and other Google services through its Chrome browser.

The U2F standard was developed by the Fast IDentity Online (FIDO) Alliance, an industry organization that has been working on specifications and authentication technologies that will dramatically improve login security. By using technologies like USB security tokens and biometric identifiers, FIDO hopes to help prevent data breaches and malware infections like those experienced by Target, Home Depot, and UPS.

When applied, the U2F standard ensures that two-factor authentication is used for login security by requiring both a knowledge factor (password) and a physical factor (USB device) in order to authenticate access to a secured account or service. It also ensures that access is granted only after verifying that the login site or service is truly a Google property.

Thus, U2F technology is designed to avoid phishing and “man-in-the-middle” attacks in which attackers create spoof websites that are designed to mimic legitimate services and intercept or redirect credentials that users enter through the login process.

Man-in-the-middle attacks have already been used to bypass the weaker two-step verification technology that Google has been using for login security and which has failed in major data breaches such as those targeting Swiss banks and other financial institutions in Europe.

By intercepting or redirecting user credentials, including the one-time codes or passwords that users must receive on their smartphones via SMS text messaging and then enter through the login process, attackers have already rendered two-step verification obsolete as a truly reliable and robust security solution.

In contrast, the U2F standard ensures that a physical factor is required and that authentication cannot be bypassed or compromised by phishing, malware, or other attacks that rely on weaknesses of two-step verification.

 

U2F Implementation Leaves Users Vulnerable and Perpetuates Password Vulnerabilities

Although Google’s U2F implementation represents a promising improvement in secure authentication, the technology has significant drawbacks, and the biggest problem is that it does not support secure access through mobile devices.

As Krebs on Security has pointed out, “Unlike a one-time token approach, the security key does not rely on mobile phones (so no batteries needed), but the downside is that it doesn’t work for mobile-only users because it requires a USB port. Also, the security key doesn’t work for Google properties on anything other than Chrome.”

Unfortunately, Google’s U2F implementation has neglected mobile security, and it leaves mobile users and users of other non-Chrome browsers vulnerable to attacks, not only because some devices are not supported but also because its technology continues to rely on passwords, which are now obsolete for data security purposes.

Falk Goossens, CTO of SecSign Technologies, is an advocate of password removal and universal device and software support in authentication technology, and while he welcomes Google’s effort to improve login security, he sees its U2F implementation as a missed opportunity.

“Apart from removing passwords and delivering strong cryptography,” Goossens says, “the most important feature for modern, secure authentication is that it must be usable on all devices and with all browsers. Only then can it be said to provide real protection for users and move us toward a more secure future.”

Goossens and his team at SecSign Technologies are the developers of SecSign ID, a two-factor authentication solution that uses mobile push technology to eliminate passwords and sensitive credentials from the login process. SecSign ID uses simple plugins and a free mobile app to provide powerful cryptography and secure authentication using 2048-bit encrypted key pairs and public key infrastructure (PKI).

The technology allows users to quickly verify their identity on their mobile device by entering a PIN or passcode, scanning their fingerprint with Apple’s Touch ID, or combining two of these factors. This verification allows a private key, which is stored securely on the user’s mobile device, to digitally sign authentication requests from a cloud or on-premise authentication server.

This PKI authentication technology can be integrated with virtually any website, application, service or system, and it supports access from any iOS or Android mobile device.

SecSign ID was engineered using the same fundamental security principles that are used in ATM and smartcard technology, and its removal of passwords and other credentials from the authentication process is in line with the industry standards that are now being advanced by the FIDO Alliance.

“With SecSign ID,” Goossens says, “we have already taken secure authentication beyond the levels of security and functionality that many experts and tech companies are just now recommending and implementing.

“We have created a powerfully safe and easy-to-use solution for two-factor authentication that works for virtually any application and device, and it completely eliminates passwords and credentials from the login process. No password or other credential is ever entered or transmitted through the login process, and none is ever stored on a server. Thus, we have made it physically impossible for attackers to steal user credentials.”

To learn more about SecSign ID, visit the SecSign Technologies product page to watch an introductory video and learn more details about the security and functionality of the product. The SecSign ID mobile app can be downloaded for free through iTunes and Google Play, and users can test the login process using the Try It Now page on the SecSign Technologies website.

 

About SecSign Technologies

SecSign Technologies is a sister company of SecCommerce Informationssysteme GmbH, a pioneer of cryptography solutions with more than 18 years of experience in developing public key infrastructure (PKI), electronic signature, and smartcard technologies. Its security experts and cryptography engineers have developed, deployed, and maintained systems that have successfully protected confidential business data and user access for numerous major corporations, including IBM, Siemens, Johnson & Johnson, Fujitsu, T-Systems, BMW, and Audi.

Do NOT follow this link or you will be banned from the site!