[gaia]

2FA would make it harder to exploit, but phishing attacks are getting fancier. They capture the 2FA code you enter and immediately start a session elsewhere with your password and 2FA. Hardware 2FA, a security key, (such as a Yubikey) is the only likely way to prevent phishing (excluding targets of state actors) https://support.google.com/accounts/answer/6103523?hl=en

[fnl]

> They capture the 2FA code

How can that be done? That's between my phone and Google, so how can they "listen in" on that?

[putlake]

The phishing site will ask you for your 2FA code and then enter it on the real Google login page.

[fnl]

Hmm, but that gets us back to "stage one": For that to work, you have to ignore your URL-bar...

[acchow]

Why would a yubikey prevent this? They can still send the 2FA code to Google to start your session...

[jlebar]

No, they cannot with the U2F protocol (as implemented by yubikey).

The simplified version is, Google sends the browser a one-time key, which the browser forwards to the HW token to sign with its private key. Then the browser sends this back to the web server to verify, using its copy of the HW token's public key.

This would be vulnerable to MITM attacks, as you say.

So what the protocol actually does is concatenate the nonce sent by the web server with the origin of the web page as seen by the browser and have the HW token sign that. This way the server can verify that the HW token signed the right nonce for the right origin.

See https://docs.google.com/document/d/1SjCwdrFbVPG1tYavO5RsSD1Q..., search for "origin".

[acchow]

Oh I think I've never used this feature with my Yubikey - it's just been essentially an external keyboard that types rather quickly.

[AlexCoventry]

It's only available on newer yubikeys.

[jamescrowley]

It's a different protocol. Not an expert but as I understand it U2F isn't totally out of band - the browser communicates the URL so the token you give wouldn't be accepted by Google when it is replayed

[jamescrowley]

@extrapickles describes it better further down: https://news.ycombinator.com/item?id=13376402

[smeehee]

Google can prompt you to confirm the login via your phone. It appears to work well: there's a time-out, and this time-out is also triggered if a second login attempt is made in parallel (and reaches the confirmation stage).

So… whichever login attempt gets to confirmation stage last wins (not relevant in this situation), and the confirmation screen on (at least) my phone does not indicate anything regarding location (which is highly relevant).

This looks a little weaker than TOTP (you're basically trading a little security for the convenience of not entering a code while keeping the second factor) and a lot weaker than U2F.

[shimon_e]

> Hardware 2FA, a security key, (such as a Yubikey) is the only likely way to prevent phishing For now.

[semi-extrinsic]

Or manual challenge-response, like some internet banking tokens have.