Google Adds Security Key Enforcement to G Suite Apps, Hosted S/MIME to Gmail

Google pumped more life into the use of physical keys as a second form of authentication when it added Security Key enforcement support to G Suite.

Google on Wednesday pumped more life into the use of physical keys as a second form of authentication when it added Security Key enforcement support to G Suite.

Admins inside enterprises managing deployments of the suite of cloud-based productivity apps, formerly known as Google Apps, can now enable two-step verification using Security Keys as a second factor.

Security Keys are physical USB tokens that can be configured to cryptographically verify a user at login.

Google also announced the availability of a hosted S/MIME service extending encryption capabilities on Gmail beyond TLS.

“TLS only guarantees to the sender’s service that the first hop transmission is encrypted and to the recipient that the last hop was encrypted. But in practice, emails often take many hops (through forwarders, mailing lists, relays, appliances, etc),” Google said. “With hosted S/MIME, the message itself is encrypted. This facilitates secure transit all the way down to the recipient’s mailbox.”

Google said the availability of S/MIME adds account-level signature authentication, which is unlike DKIM, which provides only domain-based authentication.

“This means that email receivers can ensure that incoming email is actually from the sending account, not just a matching domain, and that the message has not been tampered with after it was sent,” Google said.

On both fronts, Google is providing users additional identity verification and authentication. With Security Keys, which Google has supported since 2014, Google is positioning this support as enhanced protection against phishing.

“Instead of entering a unique code as a second factor at sign-in, Security Keys send us cryptographic proof that users are on a legitimate Google site and that they have their Security Keys with them,” said Christiaan Brand and Guemmy Kim of the Google Account Security team. “Since most hijackers are remote, their efforts are thwarted because they cannot get physical possession of the Security Key.”

Google also announced that this protection can extend to mobile devices (Android and iOS) since the Security Keys also support Bluetooth Low Energy and pair with devices over the BLE protocol.

“BLE Security Keys, which work on both Android and iOS, improve upon the usability of other form factors,” Brand and Kim said.

Yesterday’s announcement was a complement to a larger rollout on Monday of enterprise controls to G Suite, Google said.

In addition to Security Key enforcement, G Suite also supports data loss prevention technology in Google Drive. Admins can use it to add security controls to sensitive data and manage content as it’s stored and how it’s shared. It can also be configured to protect scanned documents via OCR and enforce data protection and sharing policies on that front.

Facebook, last week, announced that it had added support for physical keys for account security as a second form of authentication.

“Most people get their security code for login approvals from a text message (SMS) or by using the Facebook app to generate the code directly on their phone. These options work pretty well for most people and in most circumstances, but SMS isn’t always reliable and having a phone back-up available may not work well for everyone,” said Facebook security engineer Brad Hill.

Google, Facebook and other technology providers have for years supported second factors of authentication, usually via SMS or email messages that prompt users to enter a PIN in addition to their passwords. Google said additional protection is coming soon for personal accounts, which builds off its partnerships with FIDO Alliance; the FIDO Universal Second Factor authentication has been used internally on Google physical keys, the company said.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.