- Goal of this document
- Make logging into your Google account more secure using a Security Key
- Terms
- Problem to solve: Phishing
- How can I avoid being phished?
- How does a U2F Key defend against phishing?
- How does a U2F Key actually work?
- Motivation
- Clarification
- Sources
The goal here is to write a simple, easy to understand document that describes the problem of Phishing, how physical security keys make Phishing harder.
It is targeted towards non-technical audience.
Pull requests are most welcome and encouraged.
This will make logging into your Google account more secure for you, and harder for anyone else.
Now that you've done that, allow me to tell you how it makes logging into your Google account more secure.
Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.
Two-factor authentication (also known as 2FA) is a method of confirming a user's claimed identity by utilizing a combination of two different components.
Universal 2nd Factor (also known as U2F) is an open authentication standard that strengthens and simplifies 2FA.
U2F Keys or Physical Security Keys are USB devices that provide a form of identity verification for 2FA. It looks like this:
Let's say you want to read your Gmail emails, and let's assume that you do not have 2FA enabled for your Google account.
Here's what you would do:
- Open
https://www.google.com/mail - You are asked to login into your Google account.
- You enter your username.
- You enter your password.
- You can now access your Gmail emails.
Scenario 1: Google Login Page
Now consider another scenario. Your cousin Vinny sends you an email that contains a hyperlink to a free lottery to win an iPad. When you click on the link, you are shown a login page similar to previous scenario and here's what happens:
- The link goes to
www.gogle.com - You are asked to login into your Google account.
- You enter your username.
- You enter your password.
- Something happens. For instance, you may be told that your email address has been entered in a raffle to win the promised iPad.
Scenario 2: Gogle Login Page
Did you notice the missing o there in the website name in the URL?
Let's take a closer look.
Did you intend to enter your Google credentials (username and password) on gogle.com?
Here's what may have happened in the background:
- You entered your Google credentials on
gogle.com. - Now the owner of
gogle.comhas your Google credentials. - They can now use those credentials to login on Google as you and do bad things such as read your email, send email as you (to your contacts or other people), etc.
This is called phishing. Phishing works because the bad actor only needs your login credentials to login as you.
I'm glad you asked that. One of the best ways to avoid this, currently, is to enable 2FA and use a U2F Key as the second factor for authentication.
I repeat: Go do this. Now.
Put simply, even if someone manages to get the login credentials for your Google account, they still need physical access to the U2F Key that acts as the second factor for authentication.
So for the Bad Scenario above, even if the owner of
gogle.com gets your username and password, they won't have access to your
U2F key, which would make it impossible for them to log in as you.
For more details about how U2F keys work, see:
Zeynep Tufekci spoke at the Engima 2017 conference about Security in the Wild for Low-Profile Activists.
She mentioned how it was difficult for her to convince activists to use U2F keys because they did not understand how they work and how to use them.
Please note that I am not claiming that the owner of gogle.com is trying
to phish internet users. That's just an example.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent