Why Google Two-Factor Needs Native Yubikey Support

By On August 7, 2012 · 9 Comments

yubikey 300x264 Why Google Two Factor Needs Native Yubikey SupportGoogler Extraordinaire Matt Cutts made a call for users to enable two-factor authentication for Google accounts and that is a great idea for some users however I think power users are going to find it hard to make a leap to two-factor unless Yubikey is natively supported by Google which it currently is not.

The problem currently is that you need to use either the Yubico App (Windows) or this snazzy Python Script (Linux) to have Yubikey work with Google Two-Factor but if you happen to be using a friend’s laptop or be at work or perhaps a Library the likelihood of you being able to run one of these workaround applications is very unlikely.

Strong authentication practices is something every consumer or enterprise user should strive for while at the same time service providers and vendors also need to adopt widely used technologies that safeguard users and in this case this is something Google should strive for. Afterall, we don’t want to see more victims like this do we?

Surely there is a Googler who would love to spend their pet project percent time on implementing native Yubikey support?

Tagged with:
 
  • http://www.jorgecastro.org/ Jorge Castro

    We use these @ Canonical for 2FA, I _love_ it.

    • http://twitter.com/mitechie Rick H

      Yea, between work and lastpass access the yubikey has won. Definitely wish I could use it for google apps.

      • http://benjaminkerensa.com/ Benjamin Kerensa

        I know right!

  • http://foxxtrot.net/ Jeff Craig

    Interestingly, inside of Google we actually do use Yubikey (as the most predominant option), but we seem to use a different one-time password system than the two-factor auth we provide our consumer users. I’m new there, don’t ask me why.

    Honestly though, for *most* users, I think the ‘code texted to your cell phone’ is the most accessible option for two-factor auth, and Yubikey is a great option for enterprise usage, I’m not sure it’s the most accessible or best option for consumer accounts. Especially since you’d need to have some way to differentiate the yubikey for those of us who would carry more than one.

    • http://benjaminkerensa.com/ Benjamin Kerensa

      I have a Yubikey and am by no means a enterprise user and the big problem with me is what if I have no cell service? What if I forget my backup code print-out? Seems like a lot of hassle to me.

    • http://twitter.com/mitechie Rick H

      Sorry, pulling out my phone, launching the app, and reading off the phone into the computer is 10x harder than pressing the button one time on my yubikey nano that’s docked in the back-left usb port of my laptop.

      • http://foxxtrot.net/ Jeff Craig

        You are not a typical user. For most users, something that integrates with their phone is more convenient than yet another hardware dongle.

        The other bit, that I guess I just assumed would be more apparent, is that Google is highly unlikely to outsource core authentication infrastructure like YubiKey OTP Verification. This would have several effects:
        1. Those of us who already have YubiKeys would be unable to use our existing YubiKey with our Google accounts anyway, since the OTP can not really be verified against multiple sources securely, and without the very real risk of ‘drift’ in the OTP signal that could cause the key to become inadvertently disassociated with one server or the other
        2. Suddenly Google needs to distribute YubiKey’s to it’s users. Most of whom, have no desire to have one. Blizzard had terrible uptake of it’s optional Mobile Authenticator usage (though I understand that improved when it was integrated into Android/iOS apps)

        The existing system, which can involve a 6 digit code texted to your cell phone once every 30 days per browser you log in from is a fantastic trade-off between security and convenience for 99% of users.

        I am of the opinion that even if Google were to offer a Yubikey option, the realities of the way it would be implemented would probably be distasteful for those who are asking for it, and the uptake would be incredibly low.

      • http://twitter.com/aneccentricguy  

        I agree with you completely Rick, but Jeff is correct.

        I attend a university, and students have their cell phones out at all times. In any computer lab, everyone is texting on their phones while they browse the web on the computer (they don’t chat with desktop apps). When I visit their houses to hang out, it’s the same story: Their cellphone is out on the desk or the arm of the chair / couch that they’re sitting in (or, at most, on the floor near their feet), turned on, and ready at a moment’s notice.

        It seems that the majority of people these days literally, physically have their phones next to their finger tips at all times. Where as I suspect that you and I both keep our phones on our chargers or in our pockets, or otherwise stashed away until necessary.

        I find the mobile app to be a real PITA because my tablet is in my bedroom plugged into the charger. That means that any time that I want to sign in I have to go get the thing (or fetch my phone, which is probably next to it). Conversely, I tend to keep on Yubikey plugged in about 80% of the time and the second one on my desk under the monitor.

        This is part of nerdom, though. We’re not like most people.

  • http://christiaanconover.com/ Christiaan Conover

    Being able to use my Yubikey with Google Apps would be fantastic. It would also be awesome for use with Chrome OS. Please Google, add support for it!

WordPress Hosting Service