Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

1/15/2020
04:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Google Lets iPhone Users Turn Device into Security Key

The iPhone can now be used in lieu of a physical security key as a means of protecting Google accounts.

Google today announced updates to its Advanced Protection Program (APP), including the option for Apple iPhone users to use their smartphone as a security key instead of buying a separate physical key. It's also bringing easier enrollment for the program to iPhone and Android devices.

APP aims to bring stronger security protections to politicians, journalists, activists, business executives, and other high-risk individuals likely to be targeted with cyberattacks. It's difficult to define what makes these people vulnerable, as it depends on who they are and what they do. Politicians may be at higher risk during an election year; some activists may be targeted by their own governments. Journalists may be at higher risk if they're in a war zone or certain countries.

Some are at risk because of their worth. Shuvo Chatterjee, product manager with Google's APP, points to cryptocurrency investors as an example. "Time and time again we see people bragging on Twitter about how much they have, and they become a target," he explains.

The APP was introduced to defend against phishing attacks and protect data by limiting access to information and adding extra account verification. Only Google apps and select third-party apps can access emails and Drive files, for example. Users must have a physical security key.

While participants like the program, Chatterjee says, many found the security key difficult from a usability standpoint. "It's still this strange thing for most people," he explains. "They don't understand what it is; it's still another thing you have to carry around." The APP previously required the use of two physical security keys, which would turn people away when enrolling.

Last year, Google gave Android users the option to use their phone as a physical security key. Android devices running version 7.0 (Nougat) or later could double as keys to be used for two-factor authentication when logging into personal Google accounts and G Suite or Google Cloud.

Expanding the same option to iPhones presented more of a challenge. When Android devices became compatible as security keys, APP users with iPhones were still required a particular Bluetooth security key. "It's one thing when you own the platform," Chatterjee says, noting that Google could make changes to the Android OS so it could be used as a physical security key. Doing the same for iPhone meant a partnership with Apple and more time to offer the feature.

Now, Google is giving iPhone users running iOS 10 or later the option to turn their phone into a security key. "This opens the door for a lot more people who were maybe hesitant to enroll in advanced protection," he adds. To activate a security key on iPhone, users need to first download and sign into the Google Smart Lock app. Android users can activate and enroll here.

High-Profile Users, Low-Level Security

Google has also shared findings from a new survey conducted with The Harris Poll. Researchers surveyed 500 high-risk users living in the US to learn more about their security practices.

The results indicate a need for stronger security hygiene among those at greater risk for targeted attacks. Most (78% of) respondents perceive themselves as being at higher risk of being hacked compared with the general population due to their job or online presence. Nearly two-thirds are more concerned about their online accounts being compromised today than they were one year ago; 86% are specifically concerned about work accounts being phished.

Nearly 70% of respondents report they have been the target of a phishing attack, and 39% have been compromised. Of those, 72% say the attack used personal information tailored to them.

Despite this, many high-risk users have risky security habits: 66% of them are using two-factor authentication, compared with 69% of the general population. More than three-quarters have used their personal email account to communicate with a work colleague or contact in the past year, and 71% reuse the same password for multiple accounts. Half don't use a security key.

"Most of them knew they were under high risk of being attacked personally in their digital lives," says Chatterjee. "But at the same time, most of them didn't take basic steps to improve their security posture."

Specifically, he is concerned about politicians' security practices given they are more likely to be targeted during an election year. Ninety percent of politicians surveyed are worried about work-affiliated accounts being compromised; 83% are concerned for their personal accounts.

While the threat landscape is constantly shifting, Chatterjee anticipates phishing will continue to be a primary concern for the year ahead. "There will be different shifts in 2020 but I think there are some things that are low-hanging fruit to attackers. If you're good enough at phishing and can trick enough people, eventually people will fall for it."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Keep Security on Life Support After Software End-of-Life."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27742
PUBLISHED: 2020-10-28
An Insecure Direct Object Reference vulnerability in Citadel WebCit through 926 allows authenticated remote attackers to read someone else's emails via the msg_confirm_move template. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926&qu...
CVE-2020-27980
PUBLISHED: 2020-10-28
Genexis Platinum-4410 P4410-V2-1.28 devices allow stored XSS in the WLAN SSID parameter. This could allow an attacker to perform malicious actions in which the XSS popup will affect all privileged users.
CVE-2020-24990
PUBLISHED: 2020-10-28
An issue was discovered in QSC Q-SYS Core Manager 8.2.1. By utilizing the TFTP service running on UDP port 69, a remote attacker can perform a directory traversal and obtain operating system files via a TFTP GET request, as demonstrated by reading /etc/passwd or /proc/version.
CVE-2020-25204
PUBLISHED: 2020-10-28
The God Kings application 0.60.1 for Android exposes a broadcast receiver to other apps called com.innogames.core.frontend.notifications.receivers.LocalNotificationBroadcastReceiver. The purpose of this broadcast receiver is to show an in-game push notification to the player. However, the applicatio...
CVE-2020-27739
PUBLISHED: 2020-10-28
A Weak Session Management vulnerability in Citadel WebCit through 926 allows unauthenticated remote attackers to hijack recently logged-in users' sessions. NOTE: this was reported to the vendor in a publicly archived "Multiple Security Vulnerabilities in WebCit 926" thread.