Here is an article by Roger Grimes, Data-Driven Defense Evangelist at KnowBe4
Ever since Google told the world that none of its 85,000 employees had been successfully hacked (https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/) since they started implementing Security Keys, like Yubico’s YubiKey (https://www.yubico.com/products/yubikey-hardware/), I’ve been contacted by friends and the media about my thoughts.
Apparently as the author and presenter of the 12 Ways to Hack 2FA(https://www.brighttalk.com/webcast/14421/326691/twelve-ways-to-defeat-two-factor-authentication) and an author of a similar CSO column (https://www.csoonline.com/article/3272425/authentication/11-ways-to-hack-2fa.html), I’m purported to be an authority on it. I’m not, but I did recently stay at a Holiday Inn.
Never one to be a wall flower, I’ve given my opinion and limited expertise over and over. I had to repeat it enough that I decided to write an article about it so I can just point future requests to a link.
MFA and Google Are Awesome
First, and foremost, any multi-factor authentication (MFA) method should be applauded and supported. I feel almost criminal saying anything bad about any MFA solution. We need to replace as many one factor authentication (1FA) and/or simple password authentication scenarios wherever and whenever we can. I’m saying it right here, MFA is awesome!
Google is awesome in so many ways, not the least of which is their incredible push to better secure more web sites, using more default HTTPS and trying to fix our digital authentication mess as examples, but also in switching all their users to MFA. The security vendors providing Google Security Key MFA solutions are awesome. Yubico’s YubiKey is awesome. What’s not to love about any company or person trying to improve computer security?
Now that we’ve got the obligatory “I’m not insane” moment out of the way, I’m just as correct to say that there is no doubt in my mind that Google’s Security Key MFA device can be hacked. Just because it hasn’t or didn’t (not sure how you ultimately prove that of course) get hacked, doesn’t mean it can’t be hacked. Apple computers and devices didn’t get hacked until they became super popular, and now they are. Same thing here.
There is not an authentication solution made that cannot be hacked. That includes what Google has. It includes whatever we come up with in the future. It includes all known biometrics. It includes everything in the computer security world. If a vendor or person tells you they have something that is unhackable, run! They are either lying or don’t know what they are talking about. Either way, not the sources of authority you should be listening to.
Yes, Google Security Keys Can Be Hacked
Critics of mine are probably saying if Google has gone over a year without any of their 85,000 employees getting hacked, how can I say that they are hackable with any degree of expertise, certainty, or personal dignity?
Start by watching my Hacking 2FA video or read the CSO column (listed above). Or just watch my friend, co-worker, and world’s best-known hacker, Kevin Mitnick, blow past a popular 2FA solution (https://www.youtube.com/watch?v=xaOX8DS-Cto) using social engineering and some common hacking methods like the 2FA token isn’t even there.
After Kevin first posted his video, people said that his method wouldn’t work on Google, and so he goes around demonstrating breaking around Google’s software-based 2FA solution, Google Authenticator, for giggles. Repeat after me, any authentication solution is hackable. Some are just easier than others.
Read the full article at the source.