Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

1/15/2020
04:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Google Lets iPhone Users Turn Device into Security Key

The iPhone can now be used in lieu of a physical security key as a means of protecting Google accounts.

Google today announced updates to its Advanced Protection Program (APP), including the option for Apple iPhone users to use their smartphone as a security key instead of buying a separate physical key. It's also bringing easier enrollment for the program to iPhone and Android devices.

APP aims to bring stronger security protections to politicians, journalists, activists, business executives, and other high-risk individuals likely to be targeted with cyberattacks. It's difficult to define what makes these people vulnerable, as it depends on who they are and what they do. Politicians may be at higher risk during an election year; some activists may be targeted by their own governments. Journalists may be at higher risk if they're in a war zone or certain countries.

Some are at risk because of their worth. Shuvo Chatterjee, product manager with Google's APP, points to cryptocurrency investors as an example. "Time and time again we see people bragging on Twitter about how much they have, and they become a target," he explains.

The APP was introduced to defend against phishing attacks and protect data by limiting access to information and adding extra account verification. Only Google apps and select third-party apps can access emails and Drive files, for example. Users must have a physical security key.

While participants like the program, Chatterjee says, many found the security key difficult from a usability standpoint. "It's still this strange thing for most people," he explains. "They don't understand what it is; it's still another thing you have to carry around." The APP previously required the use of two physical security keys, which would turn people away when enrolling.

Last year, Google gave Android users the option to use their phone as a physical security key. Android devices running version 7.0 (Nougat) or later could double as keys to be used for two-factor authentication when logging into personal Google accounts and G Suite or Google Cloud.

Expanding the same option to iPhones presented more of a challenge. When Android devices became compatible as security keys, APP users with iPhones were still required a particular Bluetooth security key. "It's one thing when you own the platform," Chatterjee says, noting that Google could make changes to the Android OS so it could be used as a physical security key. Doing the same for iPhone meant a partnership with Apple and more time to offer the feature.

Now, Google is giving iPhone users running iOS 10 or later the option to turn their phone into a security key. "This opens the door for a lot more people who were maybe hesitant to enroll in advanced protection," he adds. To activate a security key on iPhone, users need to first download and sign into the Google Smart Lock app. Android users can activate and enroll here.

High-Profile Users, Low-Level Security

Google has also shared findings from a new survey conducted with The Harris Poll. Researchers surveyed 500 high-risk users living in the US to learn more about their security practices.

The results indicate a need for stronger security hygiene among those at greater risk for targeted attacks. Most (78% of) respondents perceive themselves as being at higher risk of being hacked compared with the general population due to their job or online presence. Nearly two-thirds are more concerned about their online accounts being compromised today than they were one year ago; 86% are specifically concerned about work accounts being phished.

Nearly 70% of respondents report they have been the target of a phishing attack, and 39% have been compromised. Of those, 72% say the attack used personal information tailored to them.

Despite this, many high-risk users have risky security habits: 66% of them are using two-factor authentication, compared with 69% of the general population. More than three-quarters have used their personal email account to communicate with a work colleague or contact in the past year, and 71% reuse the same password for multiple accounts. Half don't use a security key.

"Most of them knew they were under high risk of being attacked personally in their digital lives," says Chatterjee. "But at the same time, most of them didn't take basic steps to improve their security posture."

Specifically, he is concerned about politicians' security practices given they are more likely to be targeted during an election year. Ninety percent of politicians surveyed are worried about work-affiliated accounts being compromised; 83% are concerned for their personal accounts.

While the threat landscape is constantly shifting, Chatterjee anticipates phishing will continue to be a primary concern for the year ahead. "There will be different shifts in 2020 but I think there are some things that are low-hanging fruit to attackers. If you're good enough at phishing and can trick enough people, eventually people will fall for it."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Keep Security on Life Support After Software End-of-Life."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SEODan
100%
0%
SEODan,
User Rank: Apprentice
1/16/2020 | 11:38:41 AM
Phishing will always be here
Phishing will continue to be a primary concern for the year ahead. That's for sure !
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
CVE-2020-6095
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
CVE-2020-10817
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
CVE-2020-10952
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.