Phishing and Security Keys

Mark Risher
5 min readApr 2, 2019

When it comes to online security, confusion about the risks can lead people to obsess over obscure threats while ignoring key innovations that could truly protect them. Even highly-targeted users like politicians and activists don’t fully appreciate the scourge of phishing, and many aren’t familiar with an emerging form of two-factor authentication known as “Security Keys” that we hope can stop it in its tracks.

To that end, here’s a brief primer adapted from my Twitter post on phishing, security keys, and online threats.

IN THE BEGINNING, God created passwords. If you knew your password, you could sign in; if you didn’t, the door remained locked. Simple!

Primitive forms of biometric authentication

Unfortunately, phishers realized that if they knew your password, they too could sign in. Relying on a single “knowledge factor” meant if they could make you enter your password on their fake login page — i.e. if they knew it too — then they were home scot free.

So system administrators started requiring a second factor — something you have — so phishing couldn’t succeed with just your password; attackers would be stopped because they didn’t have the other factor as well. Phishers were sad (for a moment) 🎣😔

The most common 2nd factor was (and is!) a 6-digit code sent to or generated by a specific device. In the early days, it was often on a keychain dongle thingie like the RSA SecureID:

While still a massive improvement over passwords alone, the “one-time passwords” on these dongles can still be intercepted and used by hackers

Later we started sending codes to users’ cell phones. Worth noting amidst some other comments on Twitter, this form of two-factor authentication is still way safer than relying on a password alone; let’s not let the perfect be the enemy of the good (I’m looking at you, NIST).

There is a real problem with these codes in targeted attacks, though: It wasn’t long before phishers realized they didn’t actually need the user’s cell phone or keychain dongle thingie, they just needed the code. And how do you get the code? Create a fake login page that asks not only for the password, but also for the code! Ruh roh!

Phishing pages can capture anything the user has to type in. This example has all the fields on one page, but more common is to split up identifier, password, and OTP onto separate steps.

Because most codes only last a few minutes, initially this meant the phisher had to sit by their keyboard, waiting for users to type in their code. But it wasn’t long before this got automated too; mrgretzky built an awesome proof-of-concept called Evilginx which demonstrates an automated man-in-the-middle attack that grabs the username, password, and OTP code all without hacker intervention.

That’s the problem with all code-based solutions: For a few seconds between receiving and typing it in, the site is relying on the user memorizing — i.e. knowing — the code, so what we thought was a physical “something you have” factor is actually just a kind of second knowledge factor.

Making matters worse, cell phones and SMS messages were never really built to be security tokens, so phishers have also found other ways to get those codes delivered to phones they control, including everything from technical means to impersonating telco employees, and everything in between.

With tens of thousands of retail branches in the US alone, there are lots of people who can potentially change the routing for a user’s cell phone number. That said, the scale of those attacks is still orders of magnitude smaller than relying on a password alone

Anyway, back to Security Keys. Phishing scams are based on the fact that login pages require the user to manually verify that they’re on the right site. Slip up one time — mistaking a ‘1’ for an ‘l’ in the URL for example — and the user is hosed.

Security Keys flip this on its head, trading something humans are bad at (noticing subtle differences) for something computers are good at (identifying exact matches). With Security Keys, instead of the user verifying the site, the site has to prove itself to the key. 💻🔐💪

The Titan Security Key from Google is one example of a FIDO-compliant Security Key

I’ll say it again for the people in the back: with Security Keys, instead of the *user* needing to verify the site, the *site* has to prove itself to the key. Good security these days is about human factors; we have to take the onus off of the user as much as we can.

Furthermore, this “proof” from the site to the key is only permitted over close physical proximity (like USB, NFC, or Bluetooth). Unless the phisher is in the same room as the victim, they can’t gain access to the second factor.

This is why I keep using words like “transformative,” “revolutionary,” and “lit” (not so much anymore): SKs basically shrink your threat model from “anyone anywhere in the world who knows your password” to “people in the room with you right now.” Huge!

Everyone in the world versus everyone in your house; which would you choose?

Yes, no solution is perfect, and yes, security always relies on layers, but this particular layer is so strong it’s hard to exaggerate. That’s why we made Security Keys a required part of the Advanced Protection Program, and mandate SKs for all Google employees.

Earlier this month, the FIDO Alliance took things even further with a new standard called #WebAuthN, which allows this same game-changing technology to work across the web with fingerprints and biometrics.

It will take time to get rid of all the world’s passwords, but these technologies — potentially combined with Federated Identity products like Sign-in with Google & Facebook Connect, which reduce the spread of weak credentials — are making it so users don’t need to rely on them and hackers can’t take advantage of them.

We read a lot about scary, 0day vulnz — which are important — but phishing is the silent killer, and relying on a password alone is a recipe for disaster. Two-factor authentication (even with a code delivered by SMS) is still way better than the alternative, but if you’re an at-risk user — like a political figure, celebrity, activist, or journalist — please consider FIDO Security Keys for all your sensitive accounts. Anything less would be uncivilized. 🔐

P.S. If you are a Gmail user and want our highest security option, I highly encourage you to check out the Google Advanced Protection Program.

This was originally posted as a tweet storm here. If you have comments/questions, find me on Twitter and let’s talk about a safer Internet!



Mark Risher

Director @ Google; startup co-founder; former theater nerd. Biracial. He/him.