Google has extended its Advanced Protection Program for account security to the iPhone platform, aimed at those that are the most-targeted by cybercriminals: Members of political campaign teams, journalists, activists, executives, employees in regulated industries such as finance or government, and others.
It has also made the program simpler to sign up to for Android users.
The idea is to add another log-in factor to the sign-in process for Google accounts – one that can’t be intercepted by a phisher. Specifically, the Advanced Protection Program uses security keys, which make use of public-key cryptography to verify a user’s identity and URL of the login page. These can either be a physical security key or a smartphone’s built-in security key. In the case of iPhone, those running iOS 10.0+ with the Google Smart Lock app installed can enroll in the program.
“Unlike other two-factor authentication (2FA) methods that try to verify your sign-in, security keys are built with FIDO standards,” explained Christiaan Brand, product manager at Google Cloud and Kaiyu Yan, Google software engineer, in a posting on Wednesday.
In the FIDO framework, authentication is done by the client device, which must prove that it has in its physical possession a private key to a given service. To prove this, the client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.
In the case of Google’s program, the phone becomes the second-factor device, and uses Bluetooth to verify a person’s sign-in on Chrome OS, iOS, macOS and Windows 10 devices. When someone signs into a Google account, an “are you trying to sign in?” notification is sent to the phone via Bluetooth, which ensures that the phone is in physical proximity to the user. The user must then click the notification in order for the account to unlock.
“We also highly recommend registering a backup security key to your account and keeping it in a safe place, so you can get into your account if you lose your phone,” said Brand and Yan.
This scheme protects against the brute-forcing of accounts, the use of stolen credentials, the use of the password recovery feature to illicitly access accounts, schemes that bypass traditional 2FA (i.e., text codes and the like) and phishing pages.
“Everything becomes much simpler when the things we’re already carrying around—our smartphones—have a built-in security key,” said Shuvo Chatterjee, product manager at the Advanced Protection Program at Google, in his own posting on Wednesday. “That’s been the case on Android since last year, and [now] you can activate a security key on your iPhone as well. Millions of people around the world—many high-risk users among them – use iPhones, and this new capability makes Advanced Protection significantly easier for them.”
Account takeover attempts are not infrequent: Chatterjee said that from July to September, Google sent more than 12,000 warnings to account users around the world about inauthentic logins. And increasingly sophisticated efforts to bypass traditional 2FA have appeared in the wild, making secure keys more attractive to high-risk users.
For instance, in December 2018, word came of an APT attack dubbed the Return of Charming Kitten. The campaign was tailored to get around two-factor authentication in order to compromise email accounts and start monitoring communications. It uses a similar basic premise but requires more manual work on the part of the attackers. On a fake but convincing phishing page, users are asked to enter their credential details, which the attackers enter into the real log-in page in real time. If the accounts are protected by two-factor authentication, the attackers redirect targets to a new page where victims can enter the one-time password; the attackers can then take that, enter it into the real page, and are off to the races.
Similarly, last year a researcher released a reverse-proxy tool called Modlishka on GitHub. It sits between a user and whatever website that user is logging into, be it webmail, e-commerce, utility accounts and so on. It allows the legitimate website content to display for the user – and then intercepts all of the traffic flowing back and forth. So, an attacker in real time can not only observe victims’ credentials, but also whatever 2FA code they input. Acting quickly, the malefactor can then log into the account themselves.
Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.