Apple has finally embraced key-based 2FA. So should you
Hardware keys are more secure—and finally ready for the masses. …
reader comments
186 with 126 posters participating
Almost three years ago, Google introduced its Advanced Protection Program (APP), a security plan for high-risk users that requires hardware keys for account access and is arguably the industry’s most effective way to stop account takeovers in their tracks. But until now there was a major flaw that held APP back: its iPhone and iPad offerings were prohibitively limited for most users. Now that this has changed—more on the change in a bit—I feel comfortable recommending APP much more widely.
What is APP?
By requiring users to produce a physical security key in addition to a password each time they log in with a new device, APP is designed to stop the kinds of account breaches that Russian operatives used to disrupt the 2016 presidential election when they published sensitive emails from high-ranking Democratic officials.
Those attacks presented targets with convincing emails purportedly from Google. They warned, falsely, that the target’s account password had been obtained by an outsider and should immediately be changed. When Hillary Clinton’s presidential campaign chairman John Podesta and other Democrats complied, they effectively surrendered their passwords to hackers. Although hackers have many ways to compromise accounts, phishing remains one of the most popular, both because it’s easy and because the success rate is so high.
APP makes such attacks all but impossible. The cryptographic secrets stored on the physical keys required by APP can’t be phished and—theoretically—can’t be extracted even when someone gets physical access to a key or hacks the device it connects to. Unless attackers steal
Continue reading – Article source