Is Google Advanced Protection the only safe way to use Yubikey?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
JohnFiscal
Posts: 1113
Joined: Mon Jan 06, 2014 3:28 pm
Location: US citizen now retired in Canada. Subject to income tax in both.

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by JohnFiscal »

mptfan wrote: Fri Apr 09, 2021 2:04 pm
JohnFiscal wrote: Fri Apr 09, 2021 1:52 pmBut on the Android phone you can "log out" of individual accounts; but you're not really logged out, you have to use the Android settings to "Remove Account", which entirely removes the account and its data (old emails).
I still don't understand what you are saying here, how do you log out of individual accounts on the Android phone? If you logged out of account B on another device you did not "log out on the Android phone." The only way to "log out" of an account and remove its data from an Android phone is to do it on the Android phone.
Agree, that on the Android phone you can "Remove" the account, Google or other, and all its data is gone. This does more than log out, it's gone. There is no old data/info left behind.

From Windows 10 I can go to the Security settings for the Google account in Chrome (I'm not saying anything about other browsers); enter https://myaccount.google.com in Chrome and select the "Security" option from the menu at the left. Scroll down a little ways to big heading "Your Devices", this shows where (what devices) that Google account is currently signed in. You can then click on a device and "Sign out". In my case, I sign into GAP account "B" (also signed in on the phone) and I can see that I'm logged in on two devices... the Windows 10 laptop and the Android phone. I click the Android phone (either click "More Details" or the 3-dots icon at top right of the device), I can then select "Sign out" for that device. That account will be logged out on the phone (or other device). On my phone the account remains in the native mail app with all the old data (mail), but I can't send or receive new mail. Really, it takes longer to describe this than demonstrating it.

My concern, and why I point this out, is that if someone values their Google account sufficiently to protect it with GAP then they need to be aware of possible pitfalls with some operations. Same I lost my phone, I could use the Google account Security function to force that device to "log out". But all the old mail is still there. Oops!

This is concerning enough to me that I wouldn't want my GAP account on the phone if it was truly important to keep that account secure; like it had access to my life's savings.


edit to add: bear in mind that I am pc-centric. My smart phone is not my main usage of Google accounts.
User avatar
kevinf
Posts: 843
Joined: Mon Aug 05, 2019 11:35 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by kevinf »

JohnFiscal wrote: Fri Apr 09, 2021 6:37 pm
My concern, and why I point this out, is that if someone values their Google account sufficiently to protect it with GAP then they need to be aware of possible pitfalls with some operations. Same I lost my phone, I could use the Google account Security function to force that device to "log out". But all the old mail is still there. Oops!

This is concerning enough to me that I wouldn't want my GAP account on the phone if it was truly important to keep that account secure; like it had access to my life's savings.
You can install programs that will remotely wipe the phone if you deem it beyond recovery. Also, all modern Android phones are hardware encrypted, your emails can't just be pulled off of the phone. The most glaring vulnerability would be if you used a 4-digit PIN as your access code and the thief was able to successfully guess your PIN before the phone locked itself for too many attempts. If you are this worried, use a pass-phrase or 2-factor authentication to log onto your phone (a bluetooth/NFC dongle that needs to be present, for example).

I'd wager most modern phones are more secure than most modern PCs, especially when the attacker has access to the hardware.
Topic Author
Lynette
Posts: 2404
Joined: Sun Jul 27, 2014 9:47 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by Lynette »

kevinf wrote: Fri Apr 09, 2021 7:53 pm
JohnFiscal wrote: Fri Apr 09, 2021 6:37 pm
My concern, and why I point this out, is that if someone values their Google account sufficiently to protect it with GAP then they need to be aware of possible pitfalls with some operations. Same I lost my phone, I could use the Google account Security function to force that device to "log out". But all the old mail is still there. Oops!

This is concerning enough to me that I wouldn't want my GAP account on the phone if it was truly important to keep that account secure; like it had access to my life's savings.
You can install programs that will remotely wipe the phone if you deem it beyond recovery. Also, all modern Android phones are hardware encrypted, your emails can't just be pulled off of the phone. The most glaring vulnerability would be if you used a 4-digit PIN as your access code and the thief was able to successfully guess your PIN before the phone locked itself for too many attempts. If you are this worried, use a pass-phrase or 2-factor authentication to log onto your phone (a bluetooth/NFC dongle that needs to be present, for example).

I'd wager most modern phones are more secure than most modern PCs, especially when the attacker has access to the hardware.
I think that in order to remotely wipe your phone it would have to be powered on and connected to the internet. I was looking at this for my Samsung Galaxy.

https://www.samsung.com/us/support/answer/ANS00080182/

I found that my Samsung phone has settings I can turn on:

- After 15 incorrect attempts to unlock the phone, it will be reset to factory default settings and all data will be erased

- Prevent wifi from being turned off when the phone is locked as Find my phone uses these connections.

I will definitely create a password when I travel internationally.
User avatar
kevinf
Posts: 843
Joined: Mon Aug 05, 2019 11:35 pm

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by kevinf »

https://www.google.com/android/find

You can lock and erase a device from your google web account or lock it and sign it out of your google account.
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Is Google Advanced Protection the only safe way to use Yubikey?

Post by mptfan »

JohnFiscal wrote: Fri Apr 09, 2021 6:37 pm This is concerning enough to me that I wouldn't want my GAP account on the phone if it was truly important to keep that account secure; like it had access to my life's savings.
This is not an issue for me because I do not access or control my Google account from a Windows PC, in fact I do not personally own a Windows or Mac PC, all of my personal computing is done using Chromebooks and Chromeboxes running Chrome OS, in addition to my Pixel Android phone. I can sign out and remove my Google account from my phone by logging in to my Google account on my Chromebook or Chromebox.
Post Reply