Yes, Google’s Security Key Is Hackable

Here is an article by Roger Grimes, Data-Driven Defense Evangelist at KnowBe4

Ever since Google told the world that none of its 85,000 employees had been successfully hacked ( since they started implementing Security Keys, like Yubico’s YubiKey (, I’ve been contacted by friends and the media about my thoughts.

Apparently as the author and presenter of the 12 Ways to Hack 2FA( and an author of a similar CSO column (, I’m purported to be an authority on it. I’m not, but I did recently stay at a Holiday Inn.

Never one to be a wall flower, I’ve given my opinion and limited expertise over and over. I had to repeat it enough that I decided to write an article about it so I can just point future requests to a link.

MFA and Google Are Awesome

First, and foremost, any multi-factor authentication (MFA) method should be applauded and supported. I feel almost criminal saying anything bad about any MFA solution. We need to replace as many one factor authentication (1FA) and/or simple password authentication scenarios wherever and whenever we can. I’m saying it right here, MFA is awesome!

Google is awesome in so many ways, not the least of which is their incredible push to better secure more web sites, using more default HTTPS and trying to fix our digital authentication mess as examples, but also in switching all their users to MFA. The security vendors providing Google Security Key MFA solutions are awesome. Yubico’s YubiKey is awesome. What’s not to love about any company or person trying to improve computer security?

Now that we’ve got the obligatory “I’m not insane” moment out of the way, I’m just as correct to say that there is no doubt in my mind that Google’s Security Key MFA device can be hacked. Just because it hasn’t or didn’t (not sure how you ultimately prove that of course) get hacked, doesn’t mean it can’t be hacked. Apple computers and devices didn’t get hacked until they became super popular, and now they are. Same thing here.

There is not an authentication solution made that cannot be hacked. That includes what Google has. It includes whatever we come up with in the future. It includes all known biometrics. It includes everything in the computer security world. If a vendor or person tells you they have something that is unhackable, run! They are either lying or don’t know what they are talking about. Either way, not the sources of authority you should be listening to.

Yes, Google Security Keys Can Be Hacked

Critics of mine are probably saying if Google has gone over a year without any of their 85,000 employees getting hacked, how can I say that they are hackable with any degree of expertise, certainty, or personal dignity?

Start by watching my Hacking 2FA video or read the CSO column (listed above). Or just watch my friend, co-worker, and world’s best-known hacker, Kevin Mitnick, blow past a popular 2FA solution ( using social engineering and some common hacking methods like the 2FA token isn’t even there.

After Kevin first posted his video, people said that his method wouldn’t work on Google, and so he goes around demonstrating breaking around Google’s software-based 2FA solution, Google Authenticator, for giggles. Repeat after me, any authentication solution is hackable. Some are just easier than others.

Read the full article at the source.


Topics: Social Engineering, 2FA, Fake Web Sites, Google's Security Key, YubiKey, Buggy Code, hacking, hijacking shared Authentication Attacks, keynote speaker, Man-in-the-Endpoint, MFA, Subject Hijacking, Physical Attacks, Kevin Mitnick, multi-factor authentication

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

How to Prioritize Your Pentesting Report’s Remediation Recommendations

If you recently received a penetration test, you’re on the right track to improving your cybersecurity posture. However, you may be wondering what the..

Read more ›

Understanding Post-Inoculation Cybersecurity Attack Vectors

If you’ve recently improved your cybersecurity posture, you should know that the work to protect your company’s data is not over.

Read more ›

Password Management Best Practices: How Secure Are Password Managers?

Password managers are convenient tools for storing, organizing, and accessing passwords. But are they safe from cyber attacks?

Read more ›