Google Notifies Chromebook Users to Reset their Internal Security Keys
The invention of Two-Factor Authentication (2FA) was necessitated by the inherent flaws of the traditional username and password system. Security experts have been advocating its use for years, and because of the constant praises, some people are tempted to think that by enabling 2FA, they have all but eliminated any chances of account takeover. This is why they turn on 2FA and pay much less attention to their passwords.
These users tend to forget, however, that if 2FA fails, the humble password is the only thing keeping their data safe. And a Chromebook vulnerability recently disclosed by Google provides yet more proof that 2FA can fail. Before we get to the details, we need to see how the 2FA system in question works.
Some Chromebooks come with built-in 2FA systems
As you probably know, 2FA can be implemented in a number of different ways. Experts consider the systems revolving around the U2F standard the most secure because the second factor often relies on a hardware token that can't be hijacked over the internet. What's more, inside it, complex cryptographic algorithms generate special keys that provide much more security when compared to codes sent via text messages or temporary passwords.
A little over a year ago, Google decided to implement a similar 2FA system in its Chromebooks. The difference was that it did away with the additional hardware tokens. Instead, all you need to do to activate the second factor is press the Power button on the Chromebook. Initially, the system was available only on Google's Pixelbooks, but after a while, other manufacturers started using chips that enabled it on their hardware as well. Google calls the technology "Built-in security key", and it's adamant that it's still in its testing phase. Clearly, there are things that need to be addressed.
A flaw in Google's 2FA implementation put security keys at risk
At the heart of the vulnerable 2FA system is an Elliptic Curve Digital Signature Algorithm (ECDSA) which is supposed to generate random secret values. These values work alongside cryptographic signatures registered with the online service to generate the keys that provide the second factor.
Google's security team found out that due to an incorrect implementation of the ECDSA, the generated values had much lower entropy than anticipated. This meant that an attacker could guess what these values were and, using stolen signatures, calculate the all-important key, defeating the second factor without having access to the victim's Chromebook.
It must be said that not everyone can pull off such an attack. First of all, the hackers need to obtain the right signature, which is usually transmitted over HTTPS and is difficult to intercept. Then, they'll have to figure out how the vulnerable ECDSA generation works and calculate the exact values which will eventually lead them to the key.
The vulnerability has already been patched
Despite the fact that an attack doesn't seem very likely for most people, Google did the right thing and fixed the security flaw. Chrome OS version 75 comes with a patch, and Chromebook users (especially those who own laptops listed in the "Affected Devices" section of Google's disclosure) must make sure that it's installed. People who have used the vulnerable 2FA system should also heed the alerts the OS shows and replace their registered signatures with new ones.
One thing people mustn't do is turn off 2FA because of vulnerabilities such as the one described above. Yes, it does sometimes fail to act as well as it should, but even the less secure implementation still adds a layer of protection that simply doesn't exist without it. Don't forget, however, that the first factor is just as important as the second one.