Last Month, an article from Brian Krebs stated that no employee at Google has had their accounts taken over since they deployed YubiKeys for Two Factor authentication (Krebs, 2018). Below is a picture of my YubiKey which I’ve been using since 2015.
A YubiKey requires no power or drivers to use. You simply plug it in and press it when prompted for the Two Factor Authentication. The computer will read input similar to a keyboard due to the way the pins on the device are set up. Yubico’s Enterprise Level products can be configured to generate One-Time Passwords, encrypt/decrypt OpenPGP documents or emails, and more. In the case of mine, it uses the FIDO U2F standard and is good for securing web-based applications that support U2F.
Prior to using YubiKeys, Google primarily relied on One-Time Passwords sent via text message or the Google Authenticator app. The strength of YubiKey over these methods is the fact that it isn’t connected to any cellular network. It has been proven that SMS messages can intercepted due to vulnerabilities of the SS7 Network (the network used by all telecom companies to manage calls and text messages)(Brandom, 2017). There has also been a rise of cloning SIM cards or using Social Engineering on cell phone customer service to steal accounts. Once they have the phone they can potentially take over any account tied to that number including gaining access to Authentication Apps.
This story highlights the shortcomings of using cellular devices for two factor authentication. I would personally say that any 2nd factor would be better than none, but it is also important to understand that your Cellular Network can be your biggest vulnerability for authentication. I would recommend only using your cell phone if there are no other options offered.
References:
Brandom, R. (2017, September 18). This is why you shouldn’t use texts for two-factor authentication. Retrieved August 19, 2018, from https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin
Krebs, B. (2018, July 18). Google: Security Keys Neutralized Employee Phishing. Retrieved August 19, 2018, from https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/