Update, Sept. 05, 2024: This story, originally published Sept. 03, now includes an explainer regarding OAuth and passkey technology, and news of a hardware security key bypass.
Hot on the heels of a warning about a dramatic rise in the number of attacks targeting Gmail users, comes a timely reminder that Google is about to force Google Workspace users into taking security more seriously. Starting September 30, access to your Gmail account from “less secure apps, third-party apps, or devices that only require a username and password to sign in” will no longer be supported. This latest move is part of an effort to stamp out what Google refers to as an “antiquated sign-in method,” one that puts Gmail users at greater risk of compromise from those who seek unauthorized access to your Google account as it involves sharing your credentials with third-party apps and devices. This forthcoming change impacts all Google Workspace customers, Google said.
Gmail Support For Less Secure Apps Dropped And Google Sync To Be Discontinued
Google made it clear that support for what it calls less secure apps, along with Google Sync, would be dropped in a Google Workspace update posted almost exactly a year ago. The decision to tighten up authentication security in this way was first suggested in December 2019 but, with the impact of Covid taken into account, was suspended in March the following year. Now the deadline for getting your Gmail, plus Calendar and Contact accounts, in order is fast approaching.
Although it might appear that Google is making your life harder, in fact, it’s taking a common-sense approach to the problem of account authentication, which will effectively shrink the threat landscape as it applies to your Gmail account. I cannot emphasize enough how much of a good thing this is and how we should be applauding Google for finally stepping up and addressing the less secure apps issue. Indeed, this follows on from the April 1 implementation of stricter authentication requirements for bulk senders of email to Gmail accounts so as to reduce the volume of malicious spam traffic for users.
ForbesRansomware Gang Targets Google Chrome Users In Surprise New Threat TwistBy Davey Winder
Access to all such less secure apps will be discontinued from September 30 unless more secure access is used, Google said: “You will need to login with a more secure type of access called OAuth.” This applies to all Google Workspace accounts, with CalDAV, CardDAV, IMAP, POP and Google Sync all no longer supporting just a password-based login credential.
MORE FROMFORBES ADVISOR
What Action Gmail Users Need To Take
As previously reported, the less secure apps setting has already been removed from the Google Workspace Admin Console. When it comes to end users, however, Google advises that you need to take action or you will be presented with an error message informing you that your username and password login is incorrect.
- Users of Outlook 2016 or earlier should move to Microsoft 365 or Outlook for Windows or Mac, as these support the required OAuth access.
- Users of Thunderbird or other email clients will need to re-add their Google account and ensure it is configured to use IMAP with OAuth.
- Users of Mail for iOS or MacOS, or Outlook for Mac, who aren’t already should ensure they are using “Sign in with Google” which will automatically use OAuth and will need to “need to remove and re-add your account.”
Google has confirmed that users with personal Gmail accounts will no longer be able to toggle IMAP from their settings as “IMAP access is always enabled over OAuth and your current connections will not be impacted.”
ForbesGmail Users Beware—This Simple Mistake Could Wreck Your PrivacyBy Davey Winder
OAuth And Passkeys Explained
OAuth, which is shorthand for Open Authorization, is simply a framework that enables a user to securely share data between applications by allowing sites and services to access resources from other sites and services. This open standard means that a user can give those sites and services access to information without giving them access to your password credentials. There are four roles that are involved in this process: a resource owner, a third-party client, an authorization server and a resource server. The resource owner is you, the user, and you tell the service, site or application, the third-party client, to share your information but not your login credentials. So how does that work then? I know I said simply earlier, but it’s actually quite complicated. The thinned-down version is that you share your login credentials with a trusted authorization server, and it is that server which issues a token to enable access for the client. It is this token that is used by the third-party client to access the data from the resource server, the site, service or app that you wish to share information from.
OK, so where do passkeys fit into this? Good question, given that passkey adoption is on the rise, with password management app developer 1Password reporting more than 700,000 passkeys created and saved by its users in the last four months of 2023 alone. According to 1Password's chief product officer, Steve Won, “passkeys are nearly impossible for hackers to guess or intercept because the keys are randomly generated and never shared during the sign-in process.” That’s because a passkey is, in fact, comprised of two keys: a unique public key and a private key. The public key is both created and stored on the computers of the company providing the service involved, the account you are trying to access, while the private one is stored on your device, such as your smartphone or laptop. The public key is used to create, in effect, a challenge that only the private key can solve.
This doesn’t mean that passkeys make OAuth obsolete. The passkey can be thought of as a replacement for a username and password to log in to a service, whereas OAuth is required to share data with a third-party service because it securely grants the access token.
Security Keys Are Not Invincible, But They Are 101% Better Than Passwords
You may have seen worrying reports that one of the best-known and most popular producers of hardware security keys, YubiKey, has been hacked. Actually, more precisely, security researchers have detailed a vulnerability in the form of a cryptographic flaw. Most worrying of all, it would seem at first glance, is the fact that this vulnerability cannot be patched according to the researchers. So, how worried should you be, and does it mean that you should stop using hardware security keys, or at least the YubiKey 5, which is the device found to be compromised in this way?
The short answer is not really and no.
Let’s start by looking at what the security researchers from NinjaLabs uncovered and detailed. In his paper, EUCLEAK: Side-Channel Attack on the YubiKey 5 Series, researcher Thomas Roche revealed that a side-channel vulnerability in a cryptographic library, undiscovered for an astonishing 14 years, was present due to a “non constant-time modular inversion.” That sounds like it’s out of an episode of Doctor Who, and while fact rather than fiction, it might as well be to be honest. I’m not devaluing the work of Roche and NinjaLabs one little bit, but I am having a dig at the media coverage that smells far too Chicken Little in places for me.
The security key sky is not falling in.
The science bit, in necessarily precise form, is that a microcontroller used by the YubiKey 5 has a vulnerability that means the security key can be cloned. That’s the bad news. The good news is that in order to exploit this vulnerability and clone the YubiKey 5, or any other authentication hardware using the same microcontroller, one would be prudent to assume, a number of requirements are necessary. None of these are the easiest of tasks to achieve. First you need to have physical access to the security key in the first place. Most people who use hardware security keys are going to be savvy enough not to leave them plugged into a machine while they go for lunch, or on a desk, or anywhere really. That’s kind of the point of paying for such things, users appreciate the security on offer and know how to mitigate risk. But, assuming temporary access to a key has been gained, then an attacker would need to dismantle the key itself. This is not an easy task either, as the keys are made to be tamper-resistant, as you would expect. But again, let’s say you didn’t throw solvents and a hot-air gun at it and managed to pry the thing apart, what then? Well, as long as you have the requisite $11,000 of custom hardware you could theoretically extract the necessary private keys needed to clone the thing.
I can think of a lot easier ways to try and compromise an account that don’t cost as much or involve such a hit and miss process, truth be told. And, no, I’m not going to tell you what they are although phishing and malware would likely be involved.
As YubiKey said in its advisory on the matter, YSA-2024-03, “The attacker may also require additional knowledge including username, PIN, account password, or authentication key,” which makes it even less likely to be a real issue in the real world. Not that YubiKey is sitting on its security laurels. “As part of ongoing improvements in Yubico products and to reduce exposure to our supply chain, the dependency on Infineon’s cryptographic library has been removed in favor of Yubico’s own cryptographic library,” the advisory confirmed.