Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

1/15/2020
04:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Google Lets iPhone Users Turn Device into Security Key

The iPhone can now be used in lieu of a physical security key as a means of protecting Google accounts.

Google today announced updates to its Advanced Protection Program (APP), including the option for Apple iPhone users to use their smartphone as a security key instead of buying a separate physical key. It's also bringing easier enrollment for the program to iPhone and Android devices.

APP aims to bring stronger security protections to politicians, journalists, activists, business executives, and other high-risk individuals likely to be targeted with cyberattacks. It's difficult to define what makes these people vulnerable, as it depends on who they are and what they do. Politicians may be at higher risk during an election year; some activists may be targeted by their own governments. Journalists may be at higher risk if they're in a war zone or certain countries.

Some are at risk because of their worth. Shuvo Chatterjee, product manager with Google's APP, points to cryptocurrency investors as an example. "Time and time again we see people bragging on Twitter about how much they have, and they become a target," he explains.

The APP was introduced to defend against phishing attacks and protect data by limiting access to information and adding extra account verification. Only Google apps and select third-party apps can access emails and Drive files, for example. Users must have a physical security key.

While participants like the program, Chatterjee says, many found the security key difficult from a usability standpoint. "It's still this strange thing for most people," he explains. "They don't understand what it is; it's still another thing you have to carry around." The APP previously required the use of two physical security keys, which would turn people away when enrolling.

Last year, Google gave Android users the option to use their phone as a physical security key. Android devices running version 7.0 (Nougat) or later could double as keys to be used for two-factor authentication when logging into personal Google accounts and G Suite or Google Cloud.

Expanding the same option to iPhones presented more of a challenge. When Android devices became compatible as security keys, APP users with iPhones were still required a particular Bluetooth security key. "It's one thing when you own the platform," Chatterjee says, noting that Google could make changes to the Android OS so it could be used as a physical security key. Doing the same for iPhone meant a partnership with Apple and more time to offer the feature.

Now, Google is giving iPhone users running iOS 10 or later the option to turn their phone into a security key. "This opens the door for a lot more people who were maybe hesitant to enroll in advanced protection," he adds. To activate a security key on iPhone, users need to first download and sign into the Google Smart Lock app. Android users can activate and enroll here.

High-Profile Users, Low-Level Security

Google has also shared findings from a new survey conducted with The Harris Poll. Researchers surveyed 500 high-risk users living in the US to learn more about their security practices.

The results indicate a need for stronger security hygiene among those at greater risk for targeted attacks. Most (78% of) respondents perceive themselves as being at higher risk of being hacked compared with the general population due to their job or online presence. Nearly two-thirds are more concerned about their online accounts being compromised today than they were one year ago; 86% are specifically concerned about work accounts being phished.

Nearly 70% of respondents report they have been the target of a phishing attack, and 39% have been compromised. Of those, 72% say the attack used personal information tailored to them.

Despite this, many high-risk users have risky security habits: 66% of them are using two-factor authentication, compared with 69% of the general population. More than three-quarters have used their personal email account to communicate with a work colleague or contact in the past year, and 71% reuse the same password for multiple accounts. Half don't use a security key.

"Most of them knew they were under high risk of being attacked personally in their digital lives," says Chatterjee. "But at the same time, most of them didn't take basic steps to improve their security posture."

Specifically, he is concerned about politicians' security practices given they are more likely to be targeted during an election year. Ninety percent of politicians surveyed are worried about work-affiliated accounts being compromised; 83% are concerned for their personal accounts.

While the threat landscape is constantly shifting, Chatterjee anticipates phishing will continue to be a primary concern for the year ahead. "There will be different shifts in 2020 but I think there are some things that are low-hanging fruit to attackers. If you're good enough at phishing and can trick enough people, eventually people will fall for it."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Keep Security on Life Support After Software End-of-Life."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SEODan
100%
0%
SEODan,
User Rank: Apprentice
1/16/2020 | 11:38:41 AM
Phishing will always be here
Phishing will continue to be a primary concern for the year ahead. That's for sure !
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2228
PUBLISHED: 2020-02-19
The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML messages.
CVE-2014-2727
PUBLISHED: 2020-02-19
The STARTTLS implementation in MailMarshal before 7.2 allows plaintext command injection.
CVE-2015-2104
PUBLISHED: 2020-02-19
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2014-3622
PUBLISHED: 2020-02-19
Use-after-free vulnerability in the add_post_var function in the Posthandler component in PHP 5.6.x before 5.6.1 might allow remote attackers to execute arbitrary code by leveraging a third-party filter extension that accesses a certain ksep value.
CVE-2016-10000
PUBLISHED: 2020-02-19
Insufficient type checks were employed prior to casting input data in SimpleXMLElement_exportNode and simplexml_import_dom. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0 and 3.12.3 (inclusive), and all versions between 3.13.0 and 3.14.1 (inclusive).