Google Pushing U2F

[grarpamp]

https://news.ycombinator.com/item?id=13126880
https://it.slashdot.org/story/16/12/24/0037256/u2f-security-keys-may-be-the-worlds-best-hope-against-account-takeovers
http://fc16.ifca.ai/preproceedings/25_Lang.pdf

U2F keys "may be the world's best hope against account takeovers":
"The Security Keys are based on Universal Second Factor, an open
standard that's easy for end users to use and straightforward for
engineers to stitch into hardware and websites. When plugged into a
standard USB port, the keys provide a 'cryptographic assertion' that's
just about impossible for attackers to guess or phish. Accounts can
require that cryptographic key in addition to a normal user password
when users log in. Google, Dropbox, GitHub, and other sites have
already implemented the standard into their platforms. After more than
two years of public implementation and internal study, Google security
architects have declared Security Keys their preferred form of
two-factor authentication. The architects based their assessment on
the ease of using and deploying keys, the security it provided against
phishing and other types of password attacks, and the lack of privacy
trade-offs that accompany some other forms of two-factor
authentication."
The researchers wrote in a recently published report: "We have shipped
support for Security Keys in the Chrome browser, have deployed it
within Google's internal sign-in system, and have enabled Security
Keys as an available second factor in Google's Web services. In this
work, we demonstrate that Security Keys lead to both an increased
level of security and user satisfaction as well as cheaper support
cost."

Whatever happened to properly secured use of TOTP?