Experts are recommending that enterprises strive for two-factor authentication — especially new types of 2FA — because of its ease of use and lower risk of human error.
Mark Risher, head of account security at Google, agreed that 2FA should be the baseline of security for enterprises. But he also noted that some types of 2FA are commonly misunderstood by users or may seem more daunting than they should.
In our discussion, Risher talked about the new types of 2FA, like Universal Second Factor (U2F) and WebAuthn, and how those new options could be game changers for users and enterprises alike.
Editor’s note: This interview has been edited for length and clarity.
Can you walk through the different types of 2FA?
Mark Risher: There are two things that are on the table right now. One of them is how a user authenticates to Google, and the second is how the user authenticates to some non-Google service — a payroll provider, a benefit site, document collaboration, what have you. For the first one, authenticating to Google, we already offer many different types of 2FA, including what is a more robust security key-based approach.
Then, when you want to get to the third party, you have two options. The first one is you can single sign-on and go through Google. The user’s connecting first to Google and then tapping back that trust chain, extending that trust chain to the third party — that’s the single sign-on approach. Or, the user can go direct to the third party, and there they could utilize the open standards that we built. Google Authenticator is a product based off of an open standard that’s called TOTP, [or] time-based one-time password.
But security key is also an open standard, and the recently standardized WebAuthn web authentication is another open standard where people can completely leave Google out of the mix and just go straight to that payroll provider using a second factor that follows these new advanced standards.
What are the benefits of WebAuthn over other types of 2FA?
Risher: The challenge is very few people in the world spend time thinking about authentication, and they should; it’s a means to an end. No one cares about your login page, but [both users and threat actors] are trying to get some valuable service on the other side of it. The problem is that, because they don’t think about it as much, all of these nonpassword or beyond-passwords-type solutions start to feel the same. Particularly in the enterprise world, people say, ‘Ten years ago, I had this RSA thing I’d hung on my keychain, and every minute it would give me a new code. And everything that’s come since then feels like a variation of the same thing, so I don’t get the difference.’
The huge difference is that, with all of these one-time password-based solutions, things like the RSA SecurID, the code sent to your phone, or even the user-friendly thing, where your phone gets just a yes-no button to pop up — we call it Google Prompt, but other companies have their own thing — all of those, there’s one critical gap that is exploited by attackers: … the onus is on the user to make sure that he or she is on the correct site for typing in that thing, or pressing that button or what have you. And if the user messes up, if the user gets fooled by a phishing attack, by a reasonable facsimile of the site, then the user has just passed that information to the adversary and is now back to square one, where they’re no better off than a password.
The other camp is this modern camp, which includes security key and standards like U2F and WebAuthn. It’s a game changer, because the user no longer has that burden of responsibility. In the modern technique, you flip it upside down — the site or app has to prove to the key that it is legitimate, that it is exactly what it claims to be and if, and only if, that proof succeeds will the key release its information back up to the site.
You’ll notice in that second scenario I didn’t mention the user at all. The user can be off at the coffee machine paying no attention whatsoever, totally distracted and totally uneducated on which site it is, because the human has been taken out of the loop. The key is proving itself to the site, and the site is proving itself to the key.
That’s a big game changer, because now you’ve taken something that could happen anywhere around the world and relies on humans never making mistakes — which we know is not possible — and turned it into a problem where you need to have physical proximity; you need to be right there by the machine. And it’s something computers are good at — they do exact matches very well.
What kind of work is needed on the enterprise side in order to provide that proof to make this work?
Risher: It depends on how the enterprise app does authentications. The easiest one to roll out is the single-sign-on-based platform, because that uses the standards that have been around for a long time, including SAML [Security Assertion Markup Language]. Using that allows an enterprise to say, ‘I’m not going to change all 100 of my back-office applications; I’m just going to have people first connect to this secure gateway, and then the gateway will relay on to this.’
This is the easiest, because it means you’re usually integrating just in one place — that core authentication — and then all the different apps rely upon it. The other option is piecemeal. You go to each of those services and see if they support authentication. And that complexity and that tedium is the reason that enterprises have generally liked single-sign-on-based approaches.
The ultimate aim — no matter what types of 2FA are being discussed — tends to be ease of use and less or fewer points for human mistakes.
Risher: Exactly, and it’s rare that we get that bifecta. Usually, people are expecting better security comes at a cost, and the cost is more complexity for the user. Instead, with this stuff, we kind of have a sweet spot where it’s better security for the user, and the complexity is borne by the computer. So, it’s actually easier for the users.
It’s actually so rare, people are suspicious. But just because it feels easy doesn’t mean they’re giving something up. In fact, they’ve moved into a whole new class of modern authentication that is much more robust, much more strong, much better.
If you were the IT manager at a smaller enterprise, how would you sell this to the board to be able to get the resources to implement something like this?
Risher: The way I would do that is by explaining the concept of attack surface. If you are using passwords or phishable second vectors like a one-time password, the set of attackers is literally everyone with an internet connection anywhere in the world. If any of those people knows your password, they are able to connect to the service. [It] doesn’t mean they want to, [and it] doesn’t mean that they’re focusing on you. But, statistically speaking, they will eventually.
So, what I would say to the board is, ‘Do you feel comfortable in a world where if anyone anywhere in the world learns our password they are able to access our services? Or, would I like to shrink that down by 10 orders of magnitude to only people that have physical possession of my device can connect to my service?’ That’s really the transformation: those 10 orders of the magnitude from anyone anywhere in the world down to physical possession of the device.
Is it ever really limited to just physical access? Even with the physical security key authentication set up on a Google account, there is an option to fall back to SMS-based codes or the Google Prompt.
Risher: We have offered the option to use security keys for our regular accounts for many years. But, you’re right, that does have a fall back. So, that has not actually raised your security. It’s given you the convenience of a second factor that you don’t have to do any heavy lifting for, but you’re not getting the security benefit. To have the security benefits, you need to turn off, disable [or] preclude any of those fallback mechanisms. And that’s why for our Advanced Protection Program we have disabled any of those other fallbacks.
With Advanced Protection, once you enroll, if you lose the security key, then you truly cannot connect. And if someone attacking does not have the security key, they truly cannot connect. That’s why we sell two of them together in the kit for the Titan Key. And that’s why, when we do Advanced Protections enrollment, we require people to set up two separate keys, because the idea is that, if you lose them, you’re really out for good. You need to give one to a family member or leave it at home or put it in a safe place so that you have that fallback under your control.
Do you see others moving to offer more secure options like that, as well?
Risher: We haven’t seen many. It is emerging, and it’s something we’re trying to pressure and encourage people to do, because that’s the direction we need to move in to get those true security guarantees. With that said, there’s a tension, particularly with companies that operate at large scale — scales comparable to Google — that it is more common for users to accidentally lock themselves out than for attackers to be trying to break in.
Right now, for every one attack that we stop, there are 1,000 innocent people that we make go through some inconvenience. And we do need to play with that ratio. That’s why some others of our peers in the industry have been hesitant to fully embrace the kind of mandatory enforcement of security keys, but it’s clearly the direction it has to go. Right now, for high-risk individuals — whether they are celebrities, or high-ranking officials, or people with a lot of control at an enterprise, or journalists or activists — we are strongly promoting Advanced Protection programs, because that’s the direction that we want everyone to move into.