avatarTeri Radichel

Summary

The article discusses a workaround for a bug in Google's authentication system that prevents the use of Hardware Security Keys without enabling Passwordless authentication.

Abstract

The author, Teri Radichel, outlines a persistent issue with Google's authentication system where users are unable to use Hardware Security Keys as a second factor without enabling Passwordless authentication, which the author prefers not to use due to privacy and security concerns with biometric data. The article details a series of steps the author took to bypass this limitation, including configuring administrative settings, re-registering security keys, and temporarily enabling Passwordless authentication to regain access to accounts. Despite these efforts, the author continues to experience login instability and is forced to periodically repeat the process. The article also provides context on the importance of true two-factor authentication and criticizes the current state of Google's solution, urging the company to address the bug.

Opinions

  • The author believes that using a Hardware Security Key in conjunction with a password is a more secure form of two-factor authentication than relying on biometric data or a short numeric code.
  • The author is critical of Google's Passwordless authentication, particularly its reliance on biometric data, which is seen as a security risk due to the potential for theft and the inability to rotate biometric identifiers.
  • There is frustration expressed over Google's bug that forces users to enable Passwordless authentication to use Hardware Security Keys, which goes against the author's security preferences.
  • The author is dissatisfied with the current

How to Get Around a Google Hardware Security Key Bug

Attempting to allow users to use Hardware Security Keys without enabling Passwordless (skipping passwords)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Google Security | Cloud Governance | DNS Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I’ve written about a Google Hardware Security Key bug at the moment that is preventing me from using a hardware security key to log into my accounts without enabling passswordless. I also wrote about why I do not want to use the passwordless option — you can’t rotate your face. There’s also too much biometric information out there already getting stolen.

The number associated with a hardware security key is not the best kind of second factor. It’s short with a limited number of characters to guess in a brute force attack. Also, the number and the key are related rather than having two completely separate MFA factors.

So I want to use a hardware security key but when I logged into my accounts, even though I had set up a Yubikey on them, I was not getting the option to use my Yubikey as my second factor — I presume because Passwordless is not enabled. I get an error message that says something like your administrator has not enabled passwordless.

While I was logged into one admin account in an incognito window (so I would not lose access to my account), I enabled the 2-step verification option to only allow hardware security keys:

Then I logged out and back into another account. What happened when I tried to login is that I was first asked for my user name and password as expected.

Then Google popped up a message about a passkey — even though I have not enabled passwordless. It told me that I was going to have to register my biometric data (face, fingerprint, etc.). But I did not enable passwordless in the administrative console. I only prevented all forms of 2FA except hardware security keys. I just clicked through that screen as if I was going to use that option even though passwordless is not enabled on my account and it let me use my hardware security key (a Yubikey) to get into the account.

After I did that, I changed 2-step verification back to allowing other forms of authentiction but still no passwordless. Now when I log into my account, it asks me for my hardware security key as a default but it calls it a passkey.

But it is not a passkey according to Google’s own definition:

Passkeys allow users to authenticate without having to enter a username or password, or provide any additional authentication factor.

Next I removed I tried to log into my Gmail app on my phone. However, with the option to use all types of authentication, the hardware key still did not come up as the default option, nor could I select it as an option when I clicked on Try another way.

Back to the admin screen. I changed the settings to only allow a hardware security key.

Now I can’t login at all on my phone. I get an error message that says Google can’t log me in because my organization security policies don’t allow it.

So what I did at that point was enable passwordless in my admin console. That allowed me to login using my passkey but without any biometric information.

Once I was logged in, I disabled the passkey option again. At that point, I would be able to use my email until whenever I got logged out. What I noticed was that on this phone my account keeps getting logged out and I have to log back in for some reason.

After that point, I disabled passwordless again. I removed the account from my device and tried to login again with only the hardware key option allowed in my admin account. Nope. Can’t login. I also tried on a different phone. Nope.

So I went through the process of allowing and then disallowing passwordless temporarily to get this to work. But like I said, it keeps logging me out all the time and forcing me to log back in so I don’t know if I’m going to have to keep doing this in my admin console just so I can use my hardware security key and a password I choose instead of biometrics or a number with a much smaller range of brute force attempts required to guess it.

Not only is that number easy to guess in a brute force attack, the number and the hardware security key are the same source for the factors. That’s not really the best kind of two factor solution as I explain in my book at the end of this post.

Google has a bug here and they need to fix it, because not everyone wants to give their biometric data to Google or use a short number to log into their accounts. Administrators may still want to use a password with hardware security keys.

Update 3/20/2024

I was just trying to log into an account that I moved into an organizational unit created as described in this post:

I could not login with the settings that require a hardware security key as a second factor (with passwordless disabled) even though the user had a hardware security key. I logged out of that user account and back into an administrator that has a key that works as default — I presume because it was created before Google added passwordless functionality. Then I deleted the existing hardware security key for the second user by navigating to Users > [User] > Security and added the key again from the admin console. Then I logged out as admin and back in as the second user and the hardware security key worked as a second factor in incognito mode in Chrome. I didn’t test it on mobile.

I hope they fix this soon.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2024

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Google
Passwordless
Hardware Security Key
Authentication
Security
Recommended from ReadMedium