Wednesday, January 4, 2017

Google's FIDO U2F Security Key: Taking two-step authentication to another level

A prominent Computer Science professor, Dr. Ramzi Haraty, said once "No system is fully and 100% secure". I was 18 years old when I heard that statement back then, and I didn't really take it seriously.

However, as I grew older, I realized how that statement was entirely true, beyond any reasonable doubt. Matter of fact, there isn't any service, login page, software, database or website that cannot be hacked and penetrated.

Even NSA's hidden and encrypted servers were hacked. However, each security system haps his own drastic security measures; some are challenging and tough to break into, and others are trivial.

One company that takes security extremely seriously is: "Google Inc." Behind this simple-looking login page you see on the right; there a monster security system that is beyond any person's imagination:

Matter of fact, if you can hack (not hijack) this page and access a consumer's account, your hack is worth at least: USD 25,000,000.

What Google does to protect the consumer Gmail accounts of their members is astonishing. This includes but not limited:

1. Bug bounty programs: Google pays millions of dollars each year for hackers and security researchers that report bugs to their system. In return, Google would pay cash in exchange for the information. That does push bored and opportunist programmers to start searching for the bugs on the system for hoping to get paid. Eventually, as bugs get reported over the years. They get minimized.

2. Encrypting the web, literally. In summary, this means HTTPS. This encrypts your communications: including passwords, credit card numbers, with many websites, making your browsing more secure. Without HTTPS, anyone spying on your Wifi could get personal information from you.

3. Locking your Gmail if it is signed up via Tor or a different country. If you access your Gmail from another country, it will be locked.

4. Obsessing about the sandbox. Google's security system is designed in a way where they have multiple security layers. That is, if you find one bug inside Google's page and access one protected page, you'll have to find a bug in the next security layer, then move to the next security layer, and so on. So, your chances of getting bugs and breaking this page are close to 0.

Allowing users to set up two-step authentication on their account is another way Google Inc. implemented security on their website. That means, if you log in from a new device, you will have to receive a 6-digit code on your mobile to be able to access the account (the secret code can be provided by a phone call, SMS, or an application known as Google Authenticator or Authy).  That is, even if you know the password of one account, you will not be able to access the account unless you receive that 6-digit code.

That's cool, right?

Not really. Google recently realized, due to their advanced artificially intelligent technologies, that governments are targeting social activists and breaking into their account. So, the standard two-step authentication feature (mobile) would be weak too.

Wait, how come?

Very simple; I'll give you one example. Imagine that you have a Gmail account, and I figured out your password. However, you're an intelligent person and have set up two-step authentication by receiving a phone call.

So, I get stuck here. What do I do? I can impersonate you and go to your mobile provider and claim that I lost your phone number and receive a new SIM card with your phone number.

It might not work in a phone company like Version or AT&T, but in other third world country countries (like Lebanon, for example) it would apparently work due to their pathetic security checks (Alfa or Touch).

Now imagine this. 

A corrupt government targets a journalist or a rebel's Gmail and get his password by spying on him. They can, for example, get access to his phone number and reset the password very quickly by collaborating with the phone company. 

In fact, this has happened as Google announced in a blog spot that since 2012 users have been targeted by state-sponsored attackers.

It might not be the method that I alleged of but I highly suspect it does. They said that they can't reveal the tip-off because hackers can adapt but however they said "Enable two-factor authentication and set up a Security Key" which could highly mean that the attempt goes on by targeting the mobile phone.

Google said they've sent those notices to 0.1% of their users which is a huge number considering there are more than one billion users with Google accounts. 0.1% of 1 billion is 1 million.

Google ended their post with "The security of our users and their data is paramount." which is clear illustrated and because of that you should trust and respect Google more.

So what is a security key?

It is a small USB that can be plugged into your machine to allow access to an account. It is a two-step authentication code that doesn't require a phone number. The full name being "FIDO U2F Security Key"; the security key is based on a U2F is an open authentication standard that empowers two-factor authentication using specialized USB or NFC devices based on similar security technologies found in smart cards. It has been developed by Google and Yubico. U2F security keys can also be used on Dropbox, GitLab, and Bitbucket.

How does it work? 

Once you've got two-step verification enabled and configured the security key. Each time you log in on a new (or unsaved) device, you will be asked to input your own safety key inside the machine, and press a button.

While you may keep the phone call as a backup verification method, I do not recommend since it defeats the primary purpose of the security key.

It is wise to generate backup codes and memorize them (not write them down anywhere) in case you lose the security key or want to login on a mobile phone.

If you decide to use one for your own safety, it is wise not to inform anyone of your friends, colleagues or anyone that you're using this type of security mechanism.

Hackers will adapt to the security features in whatever shape and forms. Let them be surprised if they access your account instead of letting them plan ahead.

Do I use a security key?

Yes, definitely. I have purchased this item on July 14, 2016, and added on July 25, 2016. My experience has been phenomenal as I gradually reduced two-step authentication. I've treated the security as any other standard security key and implemented it as a regular key on a key ring. I've had a bit of a hard time explaining what is this to my family and friends but eventually they got used to it.

How do I buy one?

You can purchase one from (provided by Yubico) for as cheap as $17.99. Configuration is easy and can be done easily on websites like Google or Dropbox.

In Summary

No matter where you go. You will never find anything as secure as your Google account: be it online bank accounts, Microsoft accounts, Facebook accounts, Akamai accounts, etc.  This company is obsessed security and breathes security. If you have sensitive information on your Google account or any critical material, it would be wise to purchase and configure a security key to take advantage of Google's security.


  1. You can have full access to all messages. Another useful advantage of Highster can be successfully applied when you need to spy on a loved one person or child, have a look at weblink for more information.

  2. so you’re always protected. Plus, Reliant Energy customers can save money by using a package for electricity and security and you know I'm all about saving coins while keeping my family first. Complete Alarms Sydney