![]() Physical keys are also more convenient, since they work on all major operating systems and hardware. Physical keys are among the-if not the- most secure forms of 2FA because they store the long-term secret that makes them work internally, and only output non-reusable values. Instead of using only a password to prove someone is authorized to access an account, 2FA requires a second factor, such as a one-time password, possession of a physical object, or a fingerprint or other biometric. Two-factor authentication, or 2FA, is a method that makes account takeovers much harder to pull off. “Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered.” “Nevertheless, this work shows that the Google Titan Security Key (or other impacted products) would not avoid unnoticed security breach by attackers willing to put enough effort into it,” researchers from security firm NinjaLab wrote in a research paper published Thursday. That means the key cloning-were it ever to happen in the wild-would likely be done only by a nation-state pursuing its highest-value targets. The cloning also requires up to $12,000 worth of equipment and custom software, plus an advanced background in electrical engineering and cryptography. A hacker would first have to steal a target’s account password and also gain covert possession of the physical key for as many as 10 hours. There are some steep hurdles to clear for an attack to be successful. Research published today doesn’t change that thinking, but it does show how malicious attackers with physical possession of a Google Titan key can clone it. There’s wide consensus among security experts that physical two-factor authentication keys provide the most effective protection against account takeovers.
0 Comments
Leave a Reply. |