Profile picture
, 20 tweets, 8 min read Read on Twitter
Okay, here’s the deal with Security Keys and #phishing, because even some experts don’t really get it. HT @boblord and @runasand for the idea 1/
IN THE BEGINNING, God created passwords. If you knew your password, you could sign in; if you didn’t, the door remained locked. Simple! 2/
Unfortunately, phishers realized that if *they* knew your password, they too could sign in. Relying on a single “knowledge factor” meant if they could make you enter your pwd on their fake login page, they were home scot free. 3/
So system administrators started requiring a *second* factor -- something you *have* -- so phishing couldn’t succeed with just your password, they'd need the other factor as well. Phishers were sad (for a moment) 🎣😔 4/
The most common 2nd factor was (and is!) a 6-digit code that somehow is sent to a specific device. In the early days, it was often on a keychain dongle thingie; later we started sending those same codes to users’ cell phones. 5/
The problem is, phishers realized they didn’t actually need the user’s cell phone or keychain dongle thingie, they just needed the code. And how do you get the code? Create a fake login page that asks not only for the password, but also for the code! Ruh roh! 6/
Because most codes only last a few minutes, initially this meant the phisher had to sit by their keyboard, waiting for users to type in their code. But it wasn’t long before this got automated (as demonstrated with Evilginx github.com/kgretzky/evilg… from @mrgretzky) 7/
The problem is, for a few seconds, the site is relying on the user knowing the code, so what we thought was a physical “something you have” factor is actually just a kind of second knowledge factor. 8/
Making matters worse, cell phones and SMS messages were never really built to be security tokens, so phishers have also found other ways to get those codes delivered to phones they control. (e.g. @troyhunt) 9/
Anyway, back to Security Keys. Phishing scams are based on the fact that login pages require the user to manually verify that they’re on the right site. Slip up one time -- mistaking a ‘1’ for an ‘l’ in the URL for example -- and the user is hosed. 10/
Security Keys flip this on its head, trading something humans are bad at (noticing subtle differences) for something computers are good at (identifying exact matches). With Security Keys, instead of the user verifying the site, the site has to prove itself to the key. 💻🔐💪11/
I'll say it again for the people in the back: With Security Keys, instead of the *user* needing to verify the site, the *site* has to prove itself to the key. Security is as much about human factors as cryptography; we have to take the onus off of the user as much as we can. 12/
Furthermore, this “proof” from the site to the key is only permitted over close physical proximity (like USB, NFC, or Bluetooth). Unless the phisher is in the same room as the victim, they can’t gain access to the second factor. 13/
This is why I keep using words like “transformative,” “revolutionary,” and “lit” (not so much anymore): SKs basically shrink your threat model from “anyone anywhere in the world who knows your password” to “people in the room with you right now.” Huge! 14/
Yes, no solution is perfect, and yes, security always relies on layers, but this particular layer is so strong it’s hard to exaggerate. That’s why we made Security Keys a required part of the Advanced Protection Program, and mandate SKs for all Google employees. 15/
Earlier this month, @fidoalliance took things even further with a new standard called #WebAuthN, which allows this same game-changing technology to work across the web with fingerprints and biometrics. fortune.com/2019/03/04/int… @AlyssaNewcomb 16/
It'll take time to get rid of all the world’s passwords, but these technologies -- along with OIDC products like Sign-in w/ Google & FB Connect -- are making it so users don’t need to rely on them and hackers can’t take advantage of them. @alexstamos 17/
The media like to cover scary 0day vulnz, but phishing is the silent killer. If you’re an at-risk user -- like a political figure, celebrity, activist, or journalist -- please consider FIDO Security Keys for all your sensitive accounts. Anything less would be uncivilized. 🔐 /end
For those who were inquiring, learn more about the Advanced Protection Program at g.co/advancedprotec…
Thanks for all the comments and questions. I expanded a bit on this thread with a post on "Phishing and Security Keys" medium.com/@mrisher_2499/…
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to mark risher
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!