Is Google Advanced Protection the only safe way to use Yubikey?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Topic Author
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

I got my two Yubikeys yesterday and I am playing around with them on two Chromebooks. One contains my primary Gmail account and the other is a new Chromebook with a new Gmail Account (for dedicated financial transactions). I was hoping to avoid Google Advanced Protection as there is no support for recovery without submitting a form and hoping that someone would get back to you in sooner than a week. For this reason Google warns about the risks of using Advanced Protection. 2FA worked OK on my new Chromebook with the new Gmail account. But then I tried to use it on my main Gmail account. I tried to register a Yubikey but it insisted on assigning this to one of the phones where I had signed in to the Google Account. The default Google setting for 2FA is to use Google Prompts. It sent the prompt to a phone and I had to acknowledge it with a key. To use it on the USB port of my Chromebook, I had to sign out of my the main account on my phones.

I really like Google's security but I am concerned that there is no fallback for Google Advanced Protection except to wait and hope. Maybe I should use a paid service such as Fastmail. I think my Chromebooks are great for most of the internet stuff I do but I would need a Gmail account to access them. My other PCs are for Photoshop etc.

I would appreciate it if anyone has any advice.

Thanks,
Lynette
User avatar
Silly Wabbit
Posts: 171
Joined: Sat Mar 25, 2017 9:54 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Silly Wabbit »

I don't actually use the advanced protection program, but I ended up in a similar spot (security keys with no fallback factor) after removing my phone, which removed the fallback prompt factor, leaving me with only yubikeys. I don't know if this is replicable.

I have a couple yubikeys registered, including my wife's keys. This redundancy makes me confident I won't need to resort too the manual recovery process.

I use them for other services as well.
Topic Author
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

My problem is that I want to use two google gmail accounts. If I want to use Gmail on my phone, when I register a Yubikey, it attaches the security key to the prompt on the phone. Google prompts is the default for 2FA. The documentation states that if you want to use a Yubikey in the computer USB port, you need to sign out of the google account on your phone. So it seems my only choice to avoid using Advanced Protection is to get a Fastmail Account. I two expensive Android phones and I am used to Google's ecosystem.
gtd98765
Posts: 746
Joined: Sun Jan 08, 2017 4:15 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by gtd98765 »

I use a Yubikey to secure my Google account, but I do not have advanced protection. In addition to the Yubikey you can use an authenticator app like Google Authenticator as a second factor, print out and save backup codes, or use text message for the purpose (however, text message is the least secure second factor). Go to myaccount.google.com and select "We keep your account protected" to see the options.
Topic Author
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

gtd98765 wrote: Fri Mar 19, 2021 10:14 pm I use a Yubikey to secure my Google account, but I do not have advanced protection. In addition to the Yubikey you can use an authenticator app like Google Authenticator as a second factor, print out and save backup codes, or use text message for the purpose (however, text message is the least secure second factor). Go to myaccount.google.com and select "We keep your account protected" to see the options.
I cannot do this when I am logged into google on one of my phones.

Google prompts is the default. When I register a Yubikey, it attaches to one of the phones that I into which I am logged. Then I have to use the Yubikey on the phone to acknowledge the prompt.
Soon2BXProgrammer
Posts: 2058
Joined: Mon Nov 24, 2014 11:30 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Soon2BXProgrammer »

Lynette wrote: Fri Mar 19, 2021 11:35 pm
gtd98765 wrote: Fri Mar 19, 2021 10:14 pm I use a Yubikey to secure my Google account, but I do not have advanced protection. In addition to the Yubikey you can use an authenticator app like Google Authenticator as a second factor, print out and save backup codes, or use text message for the purpose (however, text message is the least secure second factor). Go to myaccount.google.com and select "We keep your account protected" to see the options.
I cannot do this when I am logged into google on one of my phones.

Google prompts is the default. When I register a Yubikey, it attaches to one of the phones that I into which I am logged. Then I have to use the Yubikey on the phone to acknowledge the prompt.
i didn't have this problem. i am not using "advanced protection" but i'm using yubikey/google titan devices for 2FA.
Topic Author
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

The problem was that I was signed into the Google Account on my phone and had bluetooth enabled on both this and my Chromebook. It will not use Yubikeys in this instance but uses the built-in security of my Android phone that has the latest version installed.

https://support.google.com/accounts/ans ... roid&hl=en
JohnFiscal
Posts: 936
Joined: Mon Jan 06, 2014 4:28 pm
Location: Florida

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by JohnFiscal »

Lynette wrote: Fri Mar 19, 2021 7:33 pm I got my two Yubikeys yesterday and I am playing around with them on two Chromebooks. One contains my primary Gmail account and the other is a new Chromebook with a new Gmail Account (for dedicated financial transactions). I was hoping to avoid Google Advanced Protection as there is no support for recovery without submitting a form and hoping that someone would get back to you in sooner than a week. For this reason Google warns about the risks of using Advanced Protection. 2FA worked OK on my new Chromebook with the new Gmail account. But then I tried to use it on my main Gmail account. I tried to register a Yubikey but it insisted on assigning this to one of the phones where I had signed in to the Google Account. The default Google setting for 2FA is to use Google Prompts. It sent the prompt to a phone and I had to acknowledge it with a key. To use it on the USB port of my Chromebook, I had to sign out of my the main account on my phones.

I really like Google's security but I am concerned that there is no fallback for Google Advanced Protection except to wait and hope. Maybe I should use a paid service such as Fastmail. I think my Chromebooks are great for most of the internet stuff I do but I would need a Gmail account to access them. My other PCs are for Photoshop etc.

I would appreciate it if anyone has any advice.

Thanks,
Lynette

You raise of lot of good questions. I'll try to add what I can, though I am not a tech expert. But I think I can point some things out.

I use Yubi keys on my Windows 10 laptop and (occasionally) with my Google Pixel 3a phone. I have a primary gmail account and a separate one for some important legal work. I also have 3-5 gmail accounts that were/are used for special projects but I retain them. I recently learned that by having the gmail account they now have associated the other Google apps to those accounts; eg: I also have a Google Drive, YouTube, etc, account for each of those gmail (Google) accounts I had previously set up.

A mildly confusing issue (for me) too is that I can use these same accounts to "log in" to the Chrome browser. When this is done the default Google apps that open in the browser are those associated with the Google account used to log into Chrome (browser). The browser log in brings along with it the potential to capture associated user names and passwords for other accounts (eg: Vanguard, etc).

I use this to my advantage along with using the Windows 10 virtual desktops. The Chrome browser can be set up with an associated Google account, so I have a desktop icon to launch various instances of the Chrome browser already logged in with a particular Google account (I only have this set up for 2 Google accounts, plus an instance in which I'm not logged in to the Chrome or Google).

I've read about the Google Titan hardware "key" in my Pixel phone but never used it until last night after reading your post. I turned it on and set it up for a Google account. Just now I removed it from my list of 2FA devices and after deleting my Google account (one of them) from my Pixel phone I then had to use the Yubikey NFC to log back into the Google account (that's what I did, there were other options available). I know that the Vanguard Android app didn't work with my Yubikey for 2FA, maybe it would with the built-in Titan key...no idea, but I don't really want to access Vanguard accounts from my phone, I was just testing at one time.

I don't think that the Google Advanced Protection ("GAP") system provides any further protection with or to the Yubikeys. GAP seems to be for the purpose of hardening the Chrome browser (and Chrome operating system? I have to say that I am not terribly familiar with the Chrome OS). Hardening the browswer (and your Google account) against various forms of direct attack...not involving Yubikeys. I totally understand the intent, they developed this for people who are working in sensitive areas; political journalists, foreign affairs officials, human right activists, etc, any of whom may be facing political "enemies" (governments or otherwise) who will want to suppress their actions.

I don't believe that hardening Chrome against these nefarious activities has anything to do with the Yubikey activities. The GAP is a "toolbox" of security tools of which provision for Yubikeys (or other hardware keys) is simply one other tool to be used.

In that vein, I think that everyone should be using full disk encryption (FDE) on their computer (Chromebook?). Maybe one could squeak by if it's a desktop that NEVER leaves the house. But if it's a laptop that may ever be taken elsewhere (even once a year to the financial consultant's office) then I feel it should have FDE. Then again, I am paranoid about such things.

All said and done, I don't think you need to implement GAP simply to use your Yubikeys for log in to other services (including your Google accounts).

I agree that working through the security steps can be confusing, and it seems to be changing regularly. But I think think standard provisions of Google security will be enough protection for most of us. Even Google agrees, the description of GAP indicates the situations I described above.
Topic Author
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

Thanks for your research. I am wondering whether Google's implementation of an Android phone as a security key using Google prompts is equivalent to using a Yubikey. Apparently for now it only works with Android phones and Google Chrome. I think that his would overcome the weakness of SMS due to a potential sim swap. One has to have both location services as well as bluetooth turned on.

https://www.theverge.com/2019/4/10/1829 ... entication
JohnFiscal
Posts: 936
Joined: Mon Jan 06, 2014 4:28 pm
Location: Florida

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by JohnFiscal »

Lynette wrote: Sat Mar 20, 2021 6:13 pm Thanks for your research. I am wondering whether Google's implementation of an Android phone as a security key using Google prompts is equivalent to using a Yubikey. Apparently for now it only works with Android phones and Google Chrome. I think that his would overcome the weakness of SMS due to a potential sim swap. One has to have both location services as well as bluetooth turned on.

https://www.theverge.com/2019/4/10/1829 ... entication
Interesting article! Thank you.

When the Titan chips in phones came out I Initially thought they could be used in lieu of a hardware key (Yubikey, Google Titan, etc). But to date it seems that the phone chip is used only for Google accounts (who knows, maybe there is some obscure NSA log-in for spies that uses this method as well). The Verge article says that other sites may eventually use this scheme as well. So perhaps someday!

I have to say that I think my (Google) life has been simpler just using the separate hardware keys rather than my phone's built-in Titan chip, based on your experience and reading the Verge article.

I do like the having my own independent hardware keys that are not dependent on multi-billion dollar corporations for whom I am myself the product they are selling. Well, I say this not in regard to protecting my Google accounts, but to potentially using an Android phone as a hardware security key for other accounts.

In the same vein, I liked to use FDE using Truecrypt (and now Veracrypt), though my current ThinkPad has a self-encrypting SSD...I had to research the heck out of that to make certain this would actually do what I thought it did and wanted it to do. So I've taken those approaches rather than trusting to Microsoft's Bitlocker. On the other hand I do regularly use the Microsoft encryption tools in Excel (even when the file resides on my encrypted drive). FWIW, I've never noticed any lag in performance using encrypted files or FDE.

Editing to add that I am not very comfortable using my smart phones. I far prefer my pc. But I do like that I can connect my Android phone to my Windows 10 laptop and text from the pc. I also like being able to text from my Google Voice account on my laptop. I need the full keyboard.
JohnFiscal
Posts: 936
Joined: Mon Jan 06, 2014 4:28 pm
Location: Florida

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by JohnFiscal »

I suppose one down side to using my Android phone as the hardware key is that the phone is easily subject to being lost, misplaced, or stolen. The password (PIN) to get into the phone is very short, like 4-6 digits. That doesn't give a very large space of possible combinations for someone to try.

Whereas my separate hardware key(s) are much less susceptible to being lost or stolen as I don't remove them from the house. Though I have been known to misplace them around the house.
Topic Author
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

JohnFiscal wrote: Sun Mar 21, 2021 9:26 am I suppose one down side to using my Android phone as the hardware key is that the phone is easily subject to being lost, misplaced, or stolen. The password (PIN) to get into the phone is very short, like 4-6 digits. That doesn't give a very large space of possible combinations for someone to try.

Whereas my separate hardware key(s) are much less susceptible to being lost or stolen as I don't remove them from the house. Though I have been known to misplace them around the house.
Thank you for your efforts. I would prefer to use my Yubikey but I cannot use it on my primary Gmail account when I am logged into my Smartphone.

There was a data breach on one of the companies that I use and they got some of my information. Some unpleasant security events occurred that made me to realize I needed to upgrade my security - quickly! I have done almost too much in a short period of time. I have decided I need some time to decompress and think and think about the implications of possible events. Also post Covid, I would like to take several lengthy overseas trips. On my list for research is encryption, Google Voice (?), ideal laptop for travel, etc., etc.

Thanks,

Lynette
Soon2BXProgrammer
Posts: 2058
Joined: Mon Nov 24, 2014 11:30 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Soon2BXProgrammer »

Lynette wrote: Sun Mar 21, 2021 10:53 am On my list for research is encryption
Encryption = the easy button on windows 10 is to upgrade to "pro" to use bitlocker
Topic Author
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

Yes thanks for the encouragement. A few days ago I tried to upgrade on my desktop with an Activation Code I bought from Amazon for $99.00. It did not work so I decided that I did not really need the desktop and instead attached my printer and scanner to another laptop I had. Today I managed to upgrade that laptop to Microsoft Windows 10 Pro as well as another Windows PC I use for Photoshop. I also bought a ASUS ZenBook 13 Ultra-Slim Windows 10 Pro for travel. Now I have to figure out what this all means. :D

Thanks,

Lynette
rebellovw
Posts: 991
Joined: Tue Aug 16, 2016 4:30 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by rebellovw »

I'm in the middle of signing up for Google Advanced Protection - I'm waiting on the second yubikey. You raised something I didn't know about- I thought the backup codes would work - but apparently they will not work with Advanced Protection - they are revoked.

Really the only backup you will need will be to have more yubikeys. These things are like gremlins - you get one- and now I need what two more?

I'll probably go the route of an extra key or two. I've also ordered a ballchain neckless to store the yubikey to make life easier as I use it across all my various PCs and Macbooks. I'll just wear it like dog tags.

I'm using Veracrypt to encrypt my PC drives as bitlocker messed things up as my PC is older and doesn't have the hardware to support for BL (the TM module that bitlocker requires.) Veracrypt is working fine (open source.) I'm using Filevault on my Macbook - and for my backup NAS - I'm using its own encryption with keys stored on thumbdrives.

Drive encryption - important advice- have a backup! I've lost two drives worth of data playing with bitlocker and veracrypt. Now I have it completely figured out and working as I want.
Topic Author
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

rebellovw wrote: Sun Mar 21, 2021 7:23 pm I'm in the middle of signing up for Google Advanced Protection - I'm waiting on the second yubikey. You raised something I didn't know about- I thought the backup codes would work - but apparently they will not work with Advanced Protection - they are revoked.

Really the only backup you will need will be to have more yubikeys. These things are like gremlins - you get one- and now I need what two more?

I'll probably go the route of an extra key or two. I've also ordered a ballchain neckless to store the yubikey to make life easier as I use it across all my various PCs and Macbooks. I'll just wear it like dog tags.

I'm using Veracrypt to encrypt my PC drives as bitlocker messed things up as my PC is older and doesn't have the hardware to support for BL (the TM module that bitlocker requires.) Veracrypt is working fine (open source.) I'm using Filevault on my Macbook - and for my backup NAS - I'm using its own encryption with keys stored on thumbdrives.

Drive encryption - important advice- have a backup! I've lost two drives worth of data playing with bitlocker and veracrypt. Now I have it completely figured out and working as I want.
If you set up 2FA in Google, you have to deliberately enable the different options. As I understand it, you can only enable Yubikeys and have google codes as the backup. Isn't that sufficient? Of course you cannot be signed in to a Smartphone, or else it forces you to use Google Prompts with your Smartphones security key.

I still don't understand the implications of encryption. So I have bitlocker enabled. What am I supposed to do with this? I don't back up my drives as I don't store anything I need there. If I cannot access something, I will simply restore the device to factory settings. Most of the stuff I need is stored in Google or Google Drive.
rebellovw
Posts: 991
Joined: Tue Aug 16, 2016 4:30 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by rebellovw »

Lynette wrote: Sun Mar 21, 2021 7:59 pm
rebellovw wrote: Sun Mar 21, 2021 7:23 pm I'm in the middle of signing up for Google Advanced Protection - I'm waiting on the second yubikey. You raised something I didn't know about- I thought the backup codes would work - but apparently they will not work with Advanced Protection - they are revoked.

Really the only backup you will need will be to have more yubikeys. These things are like gremlins - you get one- and now I need what two more?

I'll probably go the route of an extra key or two. I've also ordered a ballchain neckless to store the yubikey to make life easier as I use it across all my various PCs and Macbooks. I'll just wear it like dog tags.

I'm using Veracrypt to encrypt my PC drives as bitlocker messed things up as my PC is older and doesn't have the hardware to support for BL (the TM module that bitlocker requires.) Veracrypt is working fine (open source.) I'm using Filevault on my Macbook - and for my backup NAS - I'm using its own encryption with keys stored on thumbdrives.

Drive encryption - important advice- have a backup! I've lost two drives worth of data playing with bitlocker and veracrypt. Now I have it completely figured out and working as I want.
If you set up 2FA in Google, you have to deliberately enable the different options. As I understand it, you can only enable Yubikeys and have google codes as the backup. Isn't that sufficient? Of course you cannot be signed in to a Smartphone, or else it forces you to use Google Prompts with your Smartphones security key.

I still don't understand the implications of encryption. So I have bitlocker enabled. What am I supposed to do with this? I don't back up my drives as I don't store anything I need there. If I cannot access something, I will simply restore the device to factory settings. Most of the stuff I need is stored in Google or Google Drive.
Yes - Google 2FA setup as per security recommendations - is perfect (I can get you the link that shows how to lock down standard google.) I'd say Advanced is just over the top- and if you want over the top - go with it. It will work for me I think - I'll have to think more on it - like - what if I'm on vacation - and I lose my yubikey - I'm away from home with no access to the backup - could be quite a pain - perhaps too secure - to rigid. I may back off and just be happy with standard google which is extremely secure as is.

For me the implications of drive encryption: Someone breaks into my home and steals things:
- My synology NAS drive box - they probably would just want the disk drives to sell on ebay
- My MacBook - they probably just want the unit itself but nothing off the drives
- My PC - again - likely just want the hardware.

For me - I want all the drives on those devices to be encrypted so that all they can really do is format them to make them useful. They will not get any of my personal data. That is the reason for doing it. If you are confident that all your data is in the cloud and nothing you care about is local, cached, in downloads folder or temp - then you are likely OK to not use it. To be sure - just encrypt the drives and theres nothing more to do. You shouldn't even notice they are encrypted.

Best of luck!
Topic Author
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

rebellovw wrote: Sun Mar 21, 2021 8:31 pm For me the implications of drive encryption: Someone breaks into my home and steals things:
- My synology NAS drive box - they probably would just want the disk drives to sell on ebay
- My MacBook - they probably just want the unit itself but nothing off the drives
- My PC - again - likely just want the hardware.

For me - I want all the drives on those devices to be encrypted so that all they can really do is format them to make them useful. They will not get any of my personal data. That is the reason for doing it. If you are confident that all your data is in the cloud and nothing you care about is local, cached, in downloads folder or temp - then you are likely OK to not use it. To be sure - just encrypt the drives and theres nothing more to do. You shouldn't even notice they are encrypted.

Best of luck!
When you log into your Microsoft computer, do you also have to enter the password of the encrypted device? Chromebooks are great devices but unless you log out of them, anyone can access all of your data immediately - including google drive. I guess the best solution when one goes on vacation is to log out of the devices and/or revoke all of them as trusted devices. It depends how far one feels the need to take security!

Lynette
Grasshopper
Posts: 1092
Joined: Sat Oct 09, 2010 3:52 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Grasshopper »

With my chromebook when I leave my laptop I just lock it. When I return I have to use my PW or have my phone (trusted device) close by. I use 2 Yubikeys for my gmail on my chromebook, and W10 laptop, which I only use for Quicken, TurboTax.
Topic Author
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

Grasshopper wrote: Mon Mar 22, 2021 8:14 am With my chromebook when I leave my laptop I just lock it. When I return I have to use my PW or have my phone (trusted device) close by. I use 2 Yubikeys for my gmail on my chromebook, and W10 laptop, which I only use for Quicken, TurboTax.
Wow - thanks!! I did not know that you could do this.

Thanks,

Lynette
rebellovw
Posts: 991
Joined: Tue Aug 16, 2016 4:30 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by rebellovw »

Lynette wrote: Mon Mar 22, 2021 7:24 am
rebellovw wrote: Sun Mar 21, 2021 8:31 pm For me the implications of drive encryption: Someone breaks into my home and steals things:
- My synology NAS drive box - they probably would just want the disk drives to sell on ebay
- My MacBook - they probably just want the unit itself but nothing off the drives
- My PC - again - likely just want the hardware.

For me - I want all the drives on those devices to be encrypted so that all they can really do is format them to make them useful. They will not get any of my personal data. That is the reason for doing it. If you are confident that all your data is in the cloud and nothing you care about is local, cached, in downloads folder or temp - then you are likely OK to not use it. To be sure - just encrypt the drives and theres nothing more to do. You shouldn't even notice they are encrypted.

Best of luck!
When you log into your Microsoft computer, do you also have to enter the password of the encrypted device? Chromebooks are great devices but unless you log out of them, anyone can access all of your data immediately - including google drive. I guess the best solution when one goes on vacation is to log out of the devices and/or revoke all of them as trusted devices. It depends how far one feels the need to take security!

Lynette
Yes with Veracrypt I have to enter the passcode to boot up.

All my computers will screen lock after 15 minutes.
Jeff Albertson
Posts: 904
Joined: Sat Apr 06, 2013 7:11 pm
Location: Springfield

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Jeff Albertson »

Lynette wrote: Sat Mar 20, 2021 6:13 pm Thanks for your research. I am wondering whether Google's implementation of an Android phone as a security key using Google prompts is equivalent to using a Yubikey. Apparently for now it only works with Android phones and Google Chrome. I think that his would overcome the weakness of SMS due to a potential sim swap. One has to have both location services as well as bluetooth turned on.

https://www.theverge.com/2019/4/10/1829 ... entication
Apparently there are other weaknesses of SMS other than sim swapping.
https://krebsonsecurity.com/2021/03/can ... ecure-now/
Security researcher “Lucky225” worked with Vice.com’s Joseph Cox to intercept Cox’s incoming text messages with his permission. Lucky225 showed how anyone could do the same after creating an account at a service called Sakari, a company that helps celebrities and businesses do SMS marketing and mass messaging.

The “how they did it” was sickeningly simple. It cost just $16, and there was precious little to prevent someone from stealing your text messages without your knowledge.
Topic Author
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

Jeff Albertson wrote: Mon Mar 22, 2021 12:45 pm
Lynette wrote: Sat Mar 20, 2021 6:13 pm Thanks for your research. I am wondering whether Google's implementation of an Android phone as a security key using Google prompts is equivalent to using a Yubikey. Apparently for now it only works with Android phones and Google Chrome. I think that his would overcome the weakness of SMS due to a potential sim swap. One has to have both location services as well as bluetooth turned on.

https://www.theverge.com/2019/4/10/1829 ... entication
Apparently there are other weaknesses of SMS other than sim swapping.
https://krebsonsecurity.com/2021/03/can ... ecure-now/
Security researcher “Lucky225” worked with Vice.com’s Joseph Cox to intercept Cox’s incoming text messages with his permission. Lucky225 showed how anyone could do the same after creating an account at a service called Sakari, a company that helps celebrities and businesses do SMS marketing and mass messaging.

The “how they did it” was sickeningly simple. It cost just $16, and there was precious little to prevent someone from stealing your text messages without your knowledge.
The Google implementation of using the phone's security key for a prompt does not require a phone number. I bought a new Android phone that still does not have a Sim but I logged into it with my Google Account. When I came to set up 2 factor authentication, I could not add a Yubikey as a security key. Instead when I added a security key, it only allowed me to choose which one of the phones I wanted to use to use as a prompt. It uses the Security key of the phones using Bluetooth and location services to verify me. I guess the idea being that the phone needs to be close to me and not on the other side of the world. I may be able to log out of the phones and start over to set up 2 Factor authorization.
JohnFiscal
Posts: 936
Joined: Mon Jan 06, 2014 4:28 pm
Location: Florida

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by JohnFiscal »

Lynette wrote: Mon Mar 22, 2021 2:24 pm The Google implementation of using the phone's security key for a prompt does not require a phone number. I bought a new Android phone that still does not have a Sim but I logged into it with my Google Account. When I came to set up 2 factor authentication, I could not add a Yubikey as a security key. Instead when I added a security key, it only allowed me to choose which one of the phones I wanted to use to use as a prompt. It uses the Security key of the phones using Bluetooth and location services to verify me. I guess the idea being that the phone needs to be close to me and not on the other side of the world. I may be able to log out of the phones and start over to set up 2 Factor authorization.
I have followed this thread with interest. I am not convinced that the GAP is "the only safe way to use" Yubikeys. I think that GAP simply adds additional protections of other types to the hardware device to protect the Chrome browser or Chrome operating system so that the Google account itself doesn't get compromised. And that it's especially intended for mobile hardware devices, eg: smart phones, rather than pc's (of any OS).

But in any case, I am confused by the situation where the Android phone does not permit adding a Yubikey (or possibly any other external hardware key). I have set up a number of Google accounts and I have always done so on my Windows laptop (or other computers over the years) rather than creating a new account on a smart phone. I then use these Google accounts (not all but several) on smart phones and iPads along with 2FA. I suppose I am pc-centric rather than phone-centric...and the world changing around me and I am a bit of a dinosaur in that regard.

Tonight I created a new Google account on my Google Pixel 3a smart phone. Phone is designed/manufactured/sold by Google. Has Android version 11. Has the built-in Google Titan security chip. It can read near field communication (NFC) keys or USB C keys; I have a new Yubikey 5 with NFC (but USB A connector). I created the new Google account and set up 2FA for it as part of the initial set-up process (I did not elect the GAP); I was presented with the choice of type of external hardware key: Bluetooth, NFC, or wired, and I selected the NFC option. Then I had to hold my Yubikey near the NFC antenna. All was good then.

One issue I ran into was that the option button to...I don't recall the exact phrasing but it's to "trust" the device so that the 2FA does not need to be done again at each log-in. I didn't notice this the first time through and the account would always log me in even with the key locked in a Faraday cage (the microwave oven). Then I realized what the issue was and re-set that option. I certainly hope that Google does not even provide this option for a system with GAP, to me that would be a GAPing security hole.

By the way, I got really interested in advanced security functions with VPNs, encryption, etc, when I was going on some long international trips to east Asia. It's all a fascinating topic.
Topic Author
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

Hi John,

You cannot use Yubikeys on a Google account if you are signed into that account on an ANDROID smartphone. I have another Google account on another Chromebook. I am not signed into Google on my smart phones with that account so I can use my Yubikeys there. This was a change that Google made a few months ago and I notice that on Reddit some people were complaining about it - vociferously.

Last night I logged off of my main Google account and then tried to log back on. I was presented with a frightening number of possibilities - including the another email account and main phone number I had entered as ways of recovery.

One of the websites I used had a data breach. I had calls trying to get my SS and Medicare numbers, scammer's demand for money and fraud on a credit card that was reissued four times. The scammer used Paypal and set it as a recurring subscription! This is why I felt I had to become interested in security!
Last edited by Lynette on Tue Mar 23, 2021 7:45 am, edited 1 time in total.
mptfan
Posts: 6512
Joined: Mon Mar 05, 2007 9:58 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by mptfan »

JohnFiscal wrote: Sat Mar 20, 2021 5:39 pm I don't think that the Google Advanced Protection ("GAP") system provides any further protection with or to the Yubikeys.
Yes, it does. The Google Advanced Protection Program only allows physical security keys to be used as the second factor for 2FA, it disables SMS texting, backup codes, phone prompts, and any other form of 2FA which may be vulnerable to phishing or other exploits. Physical security keys cannot be phished. It also provides protection from harmful downloads, and it only allows Google apps and verified third party apps to access your Google account data, and only with your permission.

https://landing.google.com/advancedprotection/
Last edited by mptfan on Tue Mar 23, 2021 8:03 am, edited 2 times in total.
mptfan
Posts: 6512
Joined: Mon Mar 05, 2007 9:58 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by mptfan »

JohnFiscal wrote: Mon Mar 22, 2021 11:01 pmI think that GAP simply adds additional protections of other types to the hardware device to protect the Chrome browser or Chrome operating system so that the Google account itself doesn't get compromised. And that it's especially intended for mobile hardware devices, eg: smart phones, rather than pc's (of any OS).
This is not correct, see my previous post.
mptfan
Posts: 6512
Joined: Mon Mar 05, 2007 9:58 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by mptfan »

Lynette wrote: Tue Mar 23, 2021 7:37 am You cannot use Yubikeys on a Google account if you are signed into that account on an ANDROID smartphone.
This is not correct. I've done it.
JohnFiscal
Posts: 936
Joined: Mon Jan 06, 2014 4:28 pm
Location: Florida

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by JohnFiscal »

mptfan wrote: Tue Mar 23, 2021 7:47 am
JohnFiscal wrote: Mon Mar 22, 2021 11:01 pmI think that GAP simply adds additional protections of other types to the hardware device to protect the Chrome browser or Chrome operating system so that the Google account itself doesn't get compromised. And that it's especially intended for mobile hardware devices, eg: smart phones, rather than pc's (of any OS).
This is not correct, see my previous post.
And based on that previous post I stand by my remarks.

The GAP doesn't add any functions/features to the hardware keys themselves or to using them. GAP requires the use of the hardware keys as the 2FA, but this doesn't improve the safety of the hardware keys themselves.
Topic Author
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

mptfan wrote: Tue Mar 23, 2021 7:48 am
Lynette wrote: Tue Mar 23, 2021 7:37 am You cannot use Yubikeys on a Google account if you are signed into that account on an ANDROID smartphone.
This is not correct. I've done it.
If you were already using a Yubikey (i.e) legacy account, you can probably add Yubikeys. But if you are already logged into a Smartphone, Google Prompts is the default. There are articles on how to bypass this:

https://phandroid.com/2020/09/22/how-to ... n-android/

In any event, I am getting a third Chromebook and Microsoft PC for travel, so I will play around with it.
mptfan
Posts: 6512
Joined: Mon Mar 05, 2007 9:58 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by mptfan »

Lynette wrote: Tue Mar 23, 2021 8:30 am If you were already using a Yubikey (i.e) legacy account, you can probably add Yubikeys. But if you are already logged into a Smartphone, Google Prompts is the default.
I don't understand. What do you mean by a "Yubikey legacy account?" The account is a Google account, the yubikey is not an account. And even if google prompt is the default, that does not mean you cannot add a security key or use a security key on an Android phone, I've done it.
mptfan
Posts: 6512
Joined: Mon Mar 05, 2007 9:58 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by mptfan »

JohnFiscal wrote: Tue Mar 23, 2021 8:09 am And based on that previous post I stand by my remarks.

The GAP doesn't add any functions/features to the hardware keys themselves or to using them. GAP requires the use of the hardware keys as the 2FA, but this doesn't improve the safety of the hardware keys themselves.
You also said it was especially intended for mobile devices, but that's not true, the APP protects your Google account regardless of the device used. I do agree with your point that the security keys themselves are equally safe whether you enroll in APP or not.
JohnFiscal
Posts: 936
Joined: Mon Jan 06, 2014 4:28 pm
Location: Florida

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by JohnFiscal »

Lynette wrote: Tue Mar 23, 2021 7:37 am Hi John,

You cannot use Yubikeys on a Google account if you are signed into that account on an ANDROID smartphone. I
That is what I described in my post. That yesterday I created a new Google account on my Google Pixel (ANDROID) phone and it permitted me to set up my Yubi 5 NFC key as the 2FA.

So your situation where Google doesn't permit this may be due to some other condition. It doesn't seem to be a global function of setting up the Google accounts.

Or perhaps I am misunderstanding your description? Are you saying you are logged into the Google account on your smart phone, and then you go over to another device, Chromebook, pc, etc, and try to log into the same Google account and at that point you're not permitted to use the hardware key?
Topic Author
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

mptfan wrote: Tue Mar 23, 2021 8:33 am
Lynette wrote: Tue Mar 23, 2021 8:30 am If you were already using a Yubikey (i.e) legacy account, you can probably add Yubikeys. But if you are already logged into a Smartphone, Google Prompts is the default.
I don't understand. What do you mean by a "Yubikey legacy account?" The account is a Google account, the yubikey is not an account. And even if google prompt is the default, that does not mean you cannot add a security key or use a security key on an Android phone, I've done it.
By legacy account I mean two factor authentication that was set up before the change that Google implemented:

https://www.androidpolice.com/2020/06/0 ... ompt-soon/

https://www.engadget.com/google-default ... 56172.html
JohnFiscal
Posts: 936
Joined: Mon Jan 06, 2014 4:28 pm
Location: Florida

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by JohnFiscal »

mptfan wrote: Tue Mar 23, 2021 8:35 am
JohnFiscal wrote: Tue Mar 23, 2021 8:09 am And based on that previous post I stand by my remarks.

The GAP doesn't add any functions/features to the hardware keys themselves or to using them. GAP requires the use of the hardware keys as the 2FA, but this doesn't improve the safety of the hardware keys themselves.
You also said it was especially intended for mobile devices, but that's not true, the APP protects your Google account regardless of the device used. I do agree with your point that the security keys themselves are equally safe whether you enroll in APP or not.
This is true! It protects your Google account. On any hardware. But I still believe that it's intended for mobile devices and the for intended audience of people who may be especially targeted for political, business, social, and other nefarious reasons (not that their own actions are nefarious, but the attackers have nefarious reasons for attacking this person). And mostly the targets are going to be carrying around their smart phone as they travel around, subject to "Banana Republic" police interrogations, etc. This is not too likely to occur with a pc kept in a static location.

I also wanted to drive home the point (or counterpoint to this thread's Subject's postulate) that Yubikeys may be unsafe in some manner. I don't believe they are. There may be some theoretical instance in which even they could be targeted; the same way I've seen photographs of lab settings showing the possibility of using dry ice to keep a laptop's chips at very cold temperatures so that the volatile memory retains the log-in credentials long enough so they can be read by other tools. This has actually been done although I doubt it's practicality for using too often.

But who knows what happens at a border crossing (maybe into PRC? some other unfriendly nation?) when the immigration agents have you boot up your device and then take it away into a back room?

So, yes, some people (targets) may have special need to keep their devices ultra-secure. I have tried to do this over the years with my own international travels and for daily use. But the usage burden (due to restrictions on convenience) of GAP is unnecessary simply to use some Yubikeys, etc, to log into an account.
mptfan
Posts: 6512
Joined: Mon Mar 05, 2007 9:58 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by mptfan »

JohnFiscal wrote: Tue Mar 23, 2021 8:54 am This is true! It protects your Google account. On any hardware. But I still believe that it's intended for mobile devices and the for intended audience of people who may be especially targeted for political, business, social, and other nefarious reasons (not that their own actions are nefarious, but the attackers have nefarious reasons for attacking this person). And mostly the targets are going to be carrying around their smart phone as they travel around, subject to "Banana Republic" police interrogations, etc. This is not too likely to occur with a pc kept in a static location.
I agree that APP is intended, at least in part, to protect those who may be especially targeted for hacking, but I don't agree that it is especially intended for mobile devices. It's certainly true that high profile targets carry their smartphone around as they travel, but so do people who are not targets, and the physical protection of the smartphone by Banana Republic police interrogations is not what the APP is intended to protect...it is intended to protect the Google account from hacking, phishing and other exploits, not a smartphone...the Google account can be accessed from a variety of devices and is equally exposed to those exploits regardless of whether you carry your smartphone with you or not, and regardless of whether your pc is kept in a static location. Once you log in to your Android phone with your Google account and verify the account using your security key, then you (or anyone else) can access your Google account on that phone without a security key.

I don't consider myself to be a high profile target, but I am enrolled in APP and I access my Google account from several devices, including a smartphone and at least one Chromebox in a static location...the APP does not especially protect my smartphone any more so than it protects my other devices.
Last edited by mptfan on Tue Mar 23, 2021 9:24 am, edited 2 times in total.
rebellovw
Posts: 991
Joined: Tue Aug 16, 2016 4:30 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by rebellovw »

mptfan wrote: Tue Mar 23, 2021 8:35 am
JohnFiscal wrote: Tue Mar 23, 2021 8:09 am And based on that previous post I stand by my remarks.

The GAP doesn't add any functions/features to the hardware keys themselves or to using them. GAP requires the use of the hardware keys as the 2FA, but this doesn't improve the safety of the hardware keys themselves.
You also said it was especially intended for mobile devices, but that's not true, the APP protects your Google account regardless of the device used. I do agree with your point that the security keys themselves are equally safe whether you enroll in APP or not.
Agreed - it locks down your Google account regardless.

I finally completed setup yesterday.
Topic Author
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

Thanks for all of the replies and advice. I started on the journey of upgrading up my security in a panic after a scammer's ransom demand for money. It made me realize that the real and attempted fraud against me were the result of a data breach on a website I use. Today I get a new PC (for travel) and a third Chromebook. Some new Yubikeys as well the fourth reissued credit card should arrive soon. I need to slowly work through the implications of protecting my accounts. I thing that Google's Advanced Protection Plan is the Gold Standard but for the moment I want to have a fallback alternative. When I become more comfortable with using Yubikeys, I will like implement Google's Advanced Protection Plan.

Thanks,

Lynette
mptfan
Posts: 6512
Joined: Mon Mar 05, 2007 9:58 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by mptfan »

I agree that the Google APP is the gold standard for keeping your account secure, my Google account is enrolled in the APP and I sleep well at night. If you use the APP then the only method of 2FA available is a physical security key, all other means of 2FA are disabled, including the backup codes. If you have an Android phone you can set up your phone to be a security key in addition to Yubikeys or other physical security keys from other manufacturers. Using your phone as a physical security key is different than the Google prompts because it only works on the one phone that you enroll as a security key and the phone has to be physically near enough to the device to be connected via bluetooth in order for the device to accept the phone as a security key, this is what makes it the equivalent of a physical security key and it prevents a hacker from remotely using your phone for 2FA.
HawkeyePierce
Posts: 1828
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by HawkeyePierce »

mptfan wrote: Tue Mar 23, 2021 11:00 am I agree that the Google APP is the gold standard for keeping your account secure, my Google account is enrolled in the APP and I sleep well at night. If you use the APP then the only method of 2FA available is a physical security key, all other means of 2FA are disabled, including the backup codes. If you have an Android phone you can set up your phone to be a security key in addition to Yubikeys or other physical security keys from other manufacturers. Using your phone as a physical security key is different than the Google prompts because it only works on the one phone that you enroll as a security key and the phone has to be physically near enough to the device to be connected via bluetooth in order for the device to accept the phone as a security key, this is what makes it the equivalent of a physical security key and it prevents a hacker from remotely using your phone for 2FA.
You can now use an iPhone as a security key with the APP.
Topic Author
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

mptfan wrote: Tue Mar 23, 2021 11:00 am I agree that the Google APP is the gold standard for keeping your account secure, my Google account is enrolled in the APP and I sleep well at night. If you use the APP then the only method of 2FA available is a physical security key, all other means of 2FA are disabled, including the backup codes. If you have an Android phone you can set up your phone to be a security key in addition to Yubikeys or other physical security keys from other manufacturers. Using your phone as a physical security key is different than the Google prompts because it only works on the one phone that you enroll as a security key and the phone has to be physically near enough to the device to be connected via bluetooth in order for the device to accept the phone as a security key, this is what makes it the equivalent of a physical security key and it prevents a hacker from remotely using your phone for 2FA.
Thank you - appreciate your help on this and other threads.
Topic Author
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

HawkeyePierce wrote: Tue Mar 23, 2021 12:54 pm
mptfan wrote: Tue Mar 23, 2021 11:00 am I agree that the Google APP is the gold standard for keeping your account secure, my Google account is enrolled in the APP and I sleep well at night. If you use the APP then the only method of 2FA available is a physical security key, all other means of 2FA are disabled, including the backup codes. If you have an Android phone you can set up your phone to be a security key in addition to Yubikeys or other physical security keys from other manufacturers. Using your phone as a physical security key is different than the Google prompts because it only works on the one phone that you enroll as a security key and the phone has to be physically near enough to the device to be connected via bluetooth in order for the device to accept the phone as a security key, this is what makes it the equivalent of a physical security key and it prevents a hacker from remotely using your phone for 2FA.
You can now use an iPhone as a security key with the APP.
Thanks - appreciate your assistance on this and other threads I have read. I have nothing against Apple but I like the Samsung Galaxy Note series as they have a stylus. I'm not really good at typing on a phone!
Topic Author
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

mptfan wrote: Tue Mar 23, 2021 11:00 am I agree that the Google APP is the gold standard for keeping your account secure, my Google account is enrolled in the APP and I sleep well at night. If you use the APP then the only method of 2FA available is a physical security key, all other means of 2FA are disabled, including the backup codes. If you have an Android phone you can set up your phone to be a security key in addition to Yubikeys or other physical security keys from other manufacturers. Using your phone as a physical security key is different than the Google prompts because it only works on the one phone that you enroll as a security key and the phone has to be physically near enough to the device to be connected via bluetooth in order for the device to accept the phone as a security key, this is what makes it the equivalent of a physical security key and it prevents a hacker from remotely using your phone for 2FA.
I'm trying to become more comfortable with Yubikeys so this has been my experience. I tried to enter my phone as a security key on APP but there was this warning:

Due to COVID-19, we’re making changes to protect the health of our workforce, resulting in changes to our enrollment process. While you can still enroll with two physical security keys, we are temporarily suspending enrollment with your phone’s built-in security key. If you are interested in enrolling with your phone’s built-in security key, join our waitlist.

https://landing.google.com/advancedprotection/

However, I made a mistake about not being able to enter a Yubikey when I am using the security key of the phone. I was able to enter the security key of the phone as well as 3 security keys in 2FA. I revoked all devices as trusted. I went to another computer and entered that email account and password. I was given the option of verifying the security key prompt on my phone or using a Yubikey. All other options were turned off. I also have the phone enabled for SMS as well as codes. I could not use this. So it seems to me (as an inexperienced user) that this setup of 2FA (using security key of the phone and multiple Yubikeys) is superior to APP as I have more choices. APP (at this time) only allows two security keys.
mptfan
Posts: 6512
Joined: Mon Mar 05, 2007 9:58 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by mptfan »

Lynette wrote: Thu Mar 25, 2021 5:33 pm I'm trying to become more comfortable with Yubikeys so this has been my experience. I tried to enter my phone as a security key on APP but there was this warning:

Due to COVID-19, we’re making changes to protect the health of our workforce, resulting in changes to our enrollment process. While you can still enroll with two physical security keys, we are temporarily suspending enrollment with your phone’s built-in security key. If you are interested in enrolling with your phone’s built-in security key, join our waitlist.

https://landing.google.com/advancedprotection/
You are misunderstanding that notice. That notices says that they are temporarily suspending enrollment with your phone's built in security key...enrollment refers to setting up the APP on your account for the first time. That means, at least temporarily, you have to use the two physical FIDO security keys (not including your phone) to enroll in the APP program, that does *not* mean that you are prevented from registering your phone as a security key AFTER you enroll in the program.
Last edited by mptfan on Thu Mar 25, 2021 10:22 pm, edited 6 times in total.
mptfan
Posts: 6512
Joined: Mon Mar 05, 2007 9:58 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by mptfan »

Lynette wrote: Thu Mar 25, 2021 5:33 pmSo it seems to me (as an inexperienced user) that this setup of 2FA (using security key of the phone and multiple Yubikeys) is superior to APP as I have more choices. APP (at this time) only allows two security keys.
The word "superior" is a matter of opinion. There is an inherent tradeoff between more security and more convenience or flexibility, so if you consider having more options as superior then yes, using security keys while not enrolling in the APP program is superior because you have more options. But if you consider more security as being superior then using security keys and enrolling in the APP program is superior.

It's not true that the APP only allows two security keys at this time, I have at least 5 security keys registered to my account, including my Android phone. You are confusing "enrollment" in the APP program with "registering" a security key.
JohnFiscal
Posts: 936
Joined: Mon Jan 06, 2014 4:28 pm
Location: Florida

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by JohnFiscal »

mptfan wrote: Thu Mar 25, 2021 9:31 pm That means, at least temporarily, you have to use the two Google Titan security keys that they send you to "enroll" in the APP program, that does *not* mean that you are prevented from registering your phone as a security key AFTER you enroll in the program.
I don't think they send you those Google Titan keys unless you elect that option and pay for them. The program (APP), as I've seen it described on the relevant Google pages the past few days, will accept other hardware keys that meet the stated requirements.

I registered a new Google account (using my Pixel phone) two days ago with the Google Advanced Protection Program. I was able to use my existing Yubi keys. I didn't need to obtain Google Titan security keys.
Topic Author
Lynette
Posts: 2168
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

JohnFiscal wrote: Thu Mar 25, 2021 10:16 pm
mptfan wrote: Thu Mar 25, 2021 9:31 pm That means, at least temporarily, you have to use the two Google Titan security keys that they send you to "enroll" in the APP program, that does *not* mean that you are prevented from registering your phone as a security key AFTER you enroll in the program.
I don't think they send you those Google Titan keys unless you elect that option and pay for them. The program (APP), as I've seen it described on the relevant Google pages the past few days, will accept other hardware keys that meet the stated requirements.

I registered a new Google account (using my Pixel phone) two days ago with the Google Advanced Protection Program. I was able to use my existing Yubi keys. I didn't need to obtain Google Titan security keys.
Thanks. I seem to have misunderstood how APP works. I just ordered two Titan security keys - the more the better. I bought a third Chromebook and have registered it with a new Google Account. It does not matter if I am locked out of it as it is for experimentation. The way I have 2FA set up now, it does not allow me to use SMS or Google Backup Codes as it did before I registered the Phones Security Key and Yubikeys.

Thanks,

Lynette
Last edited by Lynette on Fri Mar 26, 2021 6:39 am, edited 1 time in total.
JohnFiscal
Posts: 936
Joined: Mon Jan 06, 2014 4:28 pm
Location: Florida

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by JohnFiscal »

Lynette wrote: Thu Mar 25, 2021 10:41 pm Thanks. I seem to have misunderstood how APP works. I just ordered two Titan security keys. I bought a third Chromebook and have registered it with a new Google Account. It does not matter if I am locked out of it as it is for experimentation. The way I have 2FA set up now, it does not allow me to use SMS or Google Backup Codes as it did before I registered the Phones Security Key and Yubikeys.
Are you particularly buying a new Chromebook for each new Google account? Can't Chromebooks accept more than one Google account?

My impression from "Googling" is that they can handle multiple Google accounts. Even my tiny Google Pixel phone has three Google accounts, one with the Advanced Protection. It seems like there would be little risk in setting up your "throwaway" Google Account (the one you don't care if you lose access to), or rather accessing it, on one of the other Chromebooks.

I do understand that dedicated hardware is sometimes the best security solution.

Or perhaps there is a risk in accessing multiple Google accounts from a single hardware? I would like to know more of this risk.
mptfan
Posts: 6512
Joined: Mon Mar 05, 2007 9:58 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by mptfan »

JohnFiscal wrote: Fri Mar 26, 2021 6:38 am Are you particularly buying a new Chromebook for each new Google account? Can't Chromebooks accept more than one Google account?
Yes, I can sign in with up to 5 Google accounts on my Chromebook and Chromebox, and if I am logged in with more than one Google account at one time I can easily switch between them.

https://support.google.com/chromebook/a ... 8201?hl=en

https://www.androidpolice.com/2020/06/2 ... hromebook/
JohnFiscal
Posts: 936
Joined: Mon Jan 06, 2014 4:28 pm
Location: Florida

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by JohnFiscal »

mptfan wrote: Fri Mar 26, 2021 6:42 am
JohnFiscal wrote: Fri Mar 26, 2021 6:38 am Are you particularly buying a new Chromebook for each new Google account? Can't Chromebooks accept more than one Google account?
Yes, I can sign in with up to 5 Google accounts on my Chromebook and Chromebox, and if I am logged in with more than one Google account at one time I can easily switch between them.

https://support.google.com/chromebook/a ... 8201?hl=en

https://www.androidpolice.com/2020/06/2 ... hromebook/
why have dedicated hardware for a Google account then?
Post Reply