New from Google. Is authentication safe without entering a password?
I think that not only I am fed up with passwords: they need to be remembered, they should preferably be complex and different for each resource. And as it turned out, not only I think so. Recently, I came across information that Google is testing a new authentication system that will allow you to refuse to enter a password when logging into your account. The whole process of user authentication will be reduced to the fact that the latter will be enough just to press the “Yes” button on your smartphone, thereby confirming your own identity, and access your account.
Being a little bit familiar with information security, I decided to share my opinion on this decision. There are some doubts about its feasibility and most importantly reliability. I would like to know the views of Khabarovsk on this issue.
Data is exchanged via GCM (Google Cloud Messaging). A notification is sent to the user’s device, which you need to accept to log into your account. Who is interested to learn more, you can read here .
')
According to Rohit Paul, who, in fact, informed the world about this innovation, the system works on the principle of two-factor authentication. First, the user must log in to his smartphone (the first factor), and only after that he will be able to accept the notification from Goggle and log in to the account (second factor).
But I dare to disagree. After all, there are a few "but" in this scheme:
The new authentication system with signal transmission over the GCM channel, tested by Google, is not explicitly created in order to enhance the protection of user data. Perhaps this scheme is suitable to simplify the process of entering the system, because the user only needs to press one button. Then I agree, it is convenient and will appeal to most users, because all people are lazy by nature.
But if you take a responsible approach to the issue of data protection, then, in my opinion, it is better to abandon this authentication method and use 2FA with one-time passwords. Today, there are many free applications for generating one-time passwords. The same Google Authenticator, or any other mobile authenticators, for example, from Microsoft, Dell, ATSolution, Authentry or Protectimus. I tried almost all of them, but I use one of them, which has a number of additional advantages over Google's Authenticator. How to use them for authentication in popular soc. networks and how they are good, I will tell in a separate article.
Being a little bit familiar with information security, I decided to share my opinion on this decision. There are some doubts about its feasibility and most importantly reliability. I would like to know the views of Khabarovsk on this issue.
Data is exchanged via GCM (Google Cloud Messaging). A notification is sent to the user’s device, which you need to accept to log into your account. Who is interested to learn more, you can read here .
')
According to Rohit Paul, who, in fact, informed the world about this innovation, the system works on the principle of two-factor authentication. First, the user must log in to his smartphone (the first factor), and only after that he will be able to accept the notification from Goggle and log in to the account (second factor).
But I dare to disagree. After all, there are a few "but" in this scheme:
- Considering such a two-factor authentication method would be a mistake, because when you click on the “Yes” button, the user actually confirms only one factor - the factor of owning the phone. The second factor (password knowledge factor) is not checked by the system. Two-factor authentication involves the use of two different factors simultaneously - the knowledge factor, as well as the second factor, possession or biometrics. The key idea of ​​2FA is that the disadvantages of one factor overlap with the advantages of another.
- If the smartphone is blocked, lost, or simply unavailable, then the user can still enter a normal login and password. That is, the second factor is not mandatory. What will prevent an attacker from using this loophole and reducing the whole process to a simple password entry? And already know the password using phishing, social engineering, brute force, etc. for a hacker, no big deal.
- In fact, such an innovation can significantly worsen the situation with the protection of accounts, because the attacker even has a choice - either pick up a password, or run a virus on a smartphone. We recall the statistics, which states that 87% of Android smartphones are vulnerable, and news about iOS vulnerabilities often jump.
The new authentication system with signal transmission over the GCM channel, tested by Google, is not explicitly created in order to enhance the protection of user data. Perhaps this scheme is suitable to simplify the process of entering the system, because the user only needs to press one button. Then I agree, it is convenient and will appeal to most users, because all people are lazy by nature.
But if you take a responsible approach to the issue of data protection, then, in my opinion, it is better to abandon this authentication method and use 2FA with one-time passwords. Today, there are many free applications for generating one-time passwords. The same Google Authenticator, or any other mobile authenticators, for example, from Microsoft, Dell, ATSolution, Authentry or Protectimus. I tried almost all of them, but I use one of them, which has a number of additional advantages over Google's Authenticator. How to use them for authentication in popular soc. networks and how they are good, I will tell in a separate article.
Source: https://habr.com/ru/post/274561/
All Articles