Google Expands Android's Built-in Security Key To iOS Devices (zdnet.com) 39
An anonymous reader shares a report: In April, Google announced a groundbreaking technology that could allow Android users to use their smartphones as hardware security keys whenever logging into Google accounts on their laptops or work PCs. Initially, the technology was made available for Chrome OS, macOS, and Windows 10 devices. Today, Google announced it is expanding this technology to iOS as well. Today's news means that iPhone and iPad users can now use their (secondary) Android smartphones as a security key whenever logging into their Google accounts on an iOS device. The technology works basically the same, as Google explained in April, at the Cloud Next 2019 conference.
Nice, but doesn't actually work (Score:2)
How is this technology not just another attack surface that malicious actors could use as part of their activities?
It's not an attack vector because it doesn't actually work:
https://arstechnica.com/inform... [arstechnica.com]
Re: What about OpenBSD support? (Score:1)
Thought BSD was dead and called MacOS now?
Re: What about OpenBSD support? (Score:1)
MacOS is a barnacle growing on the side of BSD.
Privacy considerations (Score:4, Insightful)
Re: (Score:2)
That's a great point, but that's true of a security token as well.
Re: (Score:2)
Android use of hardware-backed keystore to implement FIDO is a useful feature, but it also raises numerous privacy concerns. The use of key, by definition, is both unique and definitively tied to user's identity. In effect it is also "super-cookie" baked deep into hardware that Google under FIDO/CTAP scheme can access at any time.
It's not a super-cookie baked into hardware, because the keys used for FIDO are generated on-device, per application.
There is a key that is baked into the hardware, but it's not device-unique. This is the Android Keystore attestation key (Note: I'm the primary author of Android keystore, and the designer and implementer of the attestation scheme), and it's not a device-unique identifier because it's required that the same key be used on a large batch of devices. The Compliance Definition Document requi [android.com]
Re: (Score:3)
Note: I'm the primary author of Android keystore, and the designer and implementer of the attestation scheme
Sorry for replying to myself, but I have to make one disclaimer here. I disclaim responsibility for the horrible Android Keystore API. The engineer who wrote the original incarnation of Keystore decided to use the Java Crypto API as its interface. I see lots of valid reasons for making that particular choice, and I don't think it was a bad one within the constraints and the context. I'd probably have done the same thing. However, the Java Crypto API is awful, among the worst crypto APIs I've ever seen,
Re: (Score:2)
What happens when a phone is stolen?
With respect to keystore? Depends on what keys are used for. Keystore protects the key material from extraction, and limits their use to the allowable ways that were defined at key creation time. One of the options available is to allow key use only when the user authenticates themselves.
This is a stupid idea.
In what way, and compared to what alternative?
I have a question (Score:1)
How does it feel to be working for one of the most evil companies in the world? Do you even know you are doing evil things? What happened to your soul?
Do you really think it is okay for your shit company to store everything about everyone?
numbnuts
Re: (Score:2)
How does it feel to be working for one of the most evil companies in the world?
What you think you know about Google is wrong. I know the truth of what Google is and does.
somebody got their but hurt (Score:2)
Methinks google is smarting from Apple One Button login changes taking away their ability to monetize your information on iOS.
What is 'groundbreaking' about this? (Score:2)
I have an app like that already that works with my Google account, Duo tokens, Github and more. There are literally dozens of apps like that on the app store.
Re: (Score:1)
Yeah, it's basically google trying to draw an artificial distinction between One Time Password [wikipedia.org] and some sort of FIDO key emulation. They possibly think it's backed by some hardware security module, but how would you know?
Of course, it's possible to emulate a FIDO key in software. (you didn't realize that, people?)
In Microsoft-land, we've had the Microsoft Authenticator app on iOS and Android for ages. It supports both Time Based One Time Password codes *and* it has its own direct connection to Microsoft'