Yes, the Pixelbook power button is a U2F key. Here’s why I wouldn’t use it.

A big story making the rounds over the past few days is how the power button of Google’s Pixelbook works as a two-factor authentication (2FA) key. From a technology perspective, this is admittedly interesting. Most hardware-based 2FA devices are just that: Separate devices, typically in the form of a USB key. I didn’t cover the story because I had a concerning question, but we’ll get to that in a minute.

When I worked for Google, I was issued a 2FA key. Whenever logging in to more secure internal sites and such, I’d have to pull the USB key (made by Yubikey) out, insert it into an open USB port on my computing device, and tap the gold part of the key for authentication. The key was registered to me, so it would only work when I was trying to log in to a site or app that required it. Put another way, nobody else could log in as me with my key unless they knew my password as well. I always kept the key attached to my Google badge instead of keeping it inserted into my computer.

With just two USB-C ports, the Pixelbook is a great candidate for some alternative to a USB key like I used. So, Google decided to use the hardware button. Clever, but…

Here’s the thing. Two-factor authentication requires two out of these three things: Something you know (like a password), something you have (a USB key, perhaps) and/or something you are, such as a registered Bluetooth phone or a valid fingerprint. These are all separate things to make it harder for someone who shouldn’t have access to a site or app to get that access.

I reached out to Lukas Karlsson, who was the first to write about the Pixelbook’s power button functionality, mainly because I didn’t see the two-factor separation offered by enabling the U2F feature.

After all, someone who knows your password and could get on your Pixelbook has two of the three authentication pieces because the second is built-in to the Pixelbook; namely the power button. To me, this is like having your personal PIN code printed on your ATM card.

When I asked Karlsson if the Pixelbook’s integrated 2FA feature allows someone with my password to gain access, even with 2FA enabled, he responded (emphasis mine):

Yes, your Pixelbook device itself becomes your second factor. If someone is able to steal both your password and your Pixelbook, then they can gain access to your account. If your Pixelbook goes missing, disable the U2F key immediately, just as you would if you lost your keychain and your Yubikey.

Based on my concern and Karlsson’s confirmation, there’s no way I’d enable 2FA with this particular method because it essentially eliminates the strength of a second authentication factor. Instead, I’d spend the money — around $50 or less — on an external key to be the “something you have” part of 2FA. It’s your call, of course, but using the Pixelbook hardware key seems more like 1.5 factor authentication (at best) to me.

Update: The original article indicated that Karlsson works for Google, which is not the case.

21 thoughts on “Yes, the Pixelbook power button is a U2F key. Here’s why I wouldn’t use it.

  • June 10, 2018 at 12:46 pm
    Permalink

    Yes, in this case it works as against phishing, not against someone in your physical vicinity. Still useful, though.

    Reply
    • June 10, 2018 at 12:48 pm
      Permalink

      Yup, for phishing, it makes sense. But I’d never beef up security against phishing by decreasing security from physical access.

      Reply
      • June 10, 2018 at 4:13 pm
        Permalink

        But there is no decrease in security for physical access. It’s just that you have to consider what is more likely: someone steals your Pixelbook and your password or your Yubikey and your password. And which one of those are you more likely to notice.
        I think Google is being pretty transparent that Chromebook becomes the second factor and you must treat it accordingly.

        Reply
        • June 10, 2018 at 6:45 pm
          Permalink

          Right, to me this feels like a variation on the same approach where your phone is the second factor: Google Authenticator, Facebook, iCloud, Microsoft Office, all treat your phone itself as the second factor device. We can have debates about whether a phone that you can fit into your pocket serves as a better second factor than a Chromebook that cannot, but I can see that some (many?) people can provide the same security assurances to their Chromebook as a phone or keychain; it seems appropriate to give them that option.

          Reply
  • June 10, 2018 at 3:15 pm
    Permalink

    I don’t think it’s meant to be 2FA for the Pixelbook. It’s a second factor for when you log into your Google account from another device. Say you get a new phone and log into your Google account. The Pixelbook can be used as a second factor for that login.

    Reply
    • June 10, 2018 at 9:26 pm
      Permalink

      I could only see this being useful as one of the things/devices used for second factor. Carrying Pixelbook with you everywhere you may need access to your Google account is not always practical. Let us wait and see how they are planning to implement this first. We may be surprised.

      Reply
  • June 10, 2018 at 8:45 pm
    Permalink

    I don’t understand – you think it’s easier to steal your laptop than your yubikey?

    Reply
    • June 10, 2018 at 8:48 pm
      Permalink

      Not at all. I think it’s safer to keep the laptop and YubiKey separate when not in use. That’s not possible if it’s integrated.

      Reply
      • June 11, 2018 at 12:54 pm
        Permalink

        I do not understand the argument. You could just look at it as a yubikey duct taped to your laptop. It feels like you’re equating your physical pixelbook to your password. If someone steals your pixelbook they haven’t stolen your password, same as when someone steals your yubikey they haven’t stolen your password either. Unless you’ve got something like Autologin setup. Plus your pixelbook is only one window into your Google account. If someone steals your yubikey and also know your password you’re fd either way since anyone can open a browser window on any device and login without triggering an alert (maybe a location alert). At least with the pixelbook you would notice a lot sooner if it’s missing.

        Reply
        • June 11, 2018 at 1:18 pm
          Permalink

          Leo, you’re absolutely correct: “You could just look at it as a yubikey duct taped to your laptop.” Yes, and who would do that and think they’ve *added* security? They’ve reduced it. Put another way: By physically separating the Yubikey (or any other 2FA mechanism), you’ve added a level of security as shown by my setup of 2FA upon sign-in / reboot. I could *give* you my Pixelbook (without using the power button as 2FA) as well as my Google creds and you still get nothing. No access, no data, no online passwords stored with Google, *nothing*. That’s inarguable. And I’ll reiterate: If you (or any other readers) are comfortable without 2FA or are OK with an integrated factor, I’m not saying you’re wrong for feeling that way. It’s absolutely your choice, of course. I’m just trying to make sure people have the right information to make an informed decision.

          Reply
      • June 12, 2018 at 8:17 pm
        Permalink

        How is it safer?
        The attacker could still log into your account from another computer if they have both your YubiKey and your password.
        They may not be able to log in to your Pixelbook, but they can effectively duplicate anything but local data by logging in to your account on a different chromebook and syncing, or just logging into a browser.
        I guess if you have more sensitive information in non-synced local data than you do in your Google account this could make sense, but that’s definitely not a typical risk profile for a Chromebook.

        Reply
        • June 12, 2018 at 9:27 pm
          Permalink

          That’s a great example. Since I don’t keep the Yubikey in the Chromebook, there’s next to zero chance that both my Chromebook and Yubikey would be stolen, but I’m realizing that I’m not like most Yubikey users who typically leave the key in their device. And since I use my Chromebook 7 days a week, I’d know really quickly if my Yubikey was missing (since I wouldn’t be able to use my device without one of the backup methods I have set up), so I’d revoke the key. Thanks!

          Reply
          • June 12, 2018 at 9:51 pm
            Permalink

            I think our difference comes from us talking about different things: logging in to the device or logging in to your google account. If logging in to your account, then having a (pixelbook) device as a second factor seems not to be a compromise from having a (YubiKey) device, but I agree that it wouldn’t protect logging in to your physical device as thoroughly.

  • June 11, 2018 at 2:50 am
    Permalink

    I would suggest using the Yubico Authenticator (YA) app instead of Google Authenticator for the numerous sites which don’t yet support Yubikeys. This makes your Yubikey your _only_ second factor, instead of having some sites use your phone’s storage as the second factor for those sites. It has the added benefit of making it such that you don’t have to set up MFA every time you change phones: the secrets stay on your Yubikey.

    I’m a bit over-cautious, and using YA lets me be even more secure: I use YA with a password that I tell it not to remember. This way, someone would need my Yubikey, as well as know my password for the account I’m trying to log into and the password for my Yubikey. And if it’s my Google account, they’d also need my Pixelbook (or another device from which I’d already logged in), or I’d get a notification that I’d signed in from a new device.

    Reply
  • June 11, 2018 at 10:38 am
    Permalink

    I think you are missing the point of this feature, it’s not for the extreme protection of corporate or government secrets, it is for the convenience of the everyday user. It is still very secure in the sense that someone on the internet cannot gain access to your accounts or information which is the concern of 99.999% of every day users of the pixelbook. The concern that you have it that someone steals or gains physical access to your laptop AND knows your password, which is basically your spouse or friend.

    Reply
    • June 11, 2018 at 11:23 am
      Permalink

      I totally get the convenience factor. And you’re correct: for someone to have both my password and device (especially if the 2FA method is integrated into the device) is unlikely. Here’s my concern, which admittedly is probably more than most every day users. I have my Chromebook set up for 2FA on every sign in. Convenient? No. Secure? Yes, because every reboot/shutdown requires both my ID, password and some *external* authentication process such as a text message number to enter or a Yubikey. I don’t leave Yubikeys in my devices because that’s bad security practice and defeats the main purpose of them. With 2FA integrated into the power button, I might as well not have it enabled it all because now, someone has access to not just my Google account but all of the stored passwords for every other online service stored with my Google account. If I keep the 2FA separate from the device (as in: not the power button), they have nothing: No Google account access, none of my other passwords and none of the local data on my Chromebook. Again, that’s probably not how most users think, so I agree with you there. I’m just not sure people understand the scope of the potential risk. And again, it’s all personal choice: I leave it up to others to make the best security decision for themselves.

      Reply
      • July 10, 2018 at 7:50 pm
        Permalink

        >I have my Chromebook set up for 2FA on every sign in.

        How? Have you tried disabling wifi, and then logging in? And then enabling wifi and having full access to your google account… no yubikey required.

        Reply
  • June 12, 2018 at 6:49 am
    Permalink

    I don’t think it is contradictory to say that using a convenience like treating a Chromebook power button as a factor in an authentication process can be at once “useful” (in a limited set of cases) and at the same time that employing such a convenience represents “bad security practice”.

    I think the opposed positions in this dispute centre around whether employing the power button convenience in 2FA is either a) not worse than normal with respect to security and better in certain respects or b) it is a fundamentally flawed security measure that violates essential features of genuine 2FA thus making things less secure. Now, once again, it is not hard to see that these two views need not be seen as sharply contradictory – perhaps, there is nothing in this new 2FA measure (or measure that somewhat resembles 2FA) that means Chromebook users are going to be facing security issues that aren’t already a part of the common (in)security landscape but Kevin Tofel is right that a debased version of 2FA is not what anyone who is serious about beefing up security could be happy with.

    Reply
  • July 4, 2018 at 9:59 pm
    Permalink

    Kevin: I would say that Lukas was right about the 2FA and this post is … not quite right.

    Let’s count the factors with this scheme:
    1) Knowledge of the password
    2) Possession and access to the Pixelbook

    Let’s count the factors with YubiKey:
    1) Knowledge of the password
    2) Possession of the USB key

    Note that in the second case, possession of the Pixelbook is *no longer required*. So you have NOT made your security weaker, at least not *strictly weaker*. The fact that the physical key can no longer be separated from the laptop is immaterial, because the laptop was never required for 2FA in the USB key case.

    Now you could make the argument that possession of the laptop could make it it slightly more likely to get the password, through password managers or electrical-level access to hot RAM, so the two factors are somewhat closer than in the YubiKey case. But with password managers, you knew what you were signing up for, and the second attack is highly unlikely, resource intensive, and usually defeated by simple software measures like wiping password buffers.

    Worth noting that even with undetected compromise of your Pixelbook (a keylogger), an attacker still has to wait for you to do the 2FA action (pressing the button) to get in, just like they’d have to wait for the USB key to be plugged in. So this aspect does not suffer measurably.

    This post comes up pretty high in search results for Pixelbook U2F, so I’d urge you to at least elaborate more on your concerns. Right now the article seems centered on “key and laptop are no longer separated”, which does not affect security much.

    Reply
    • July 5, 2018 at 10:26 am
      Permalink

      Appreciate the thoughtful comment, Ovi. Based on some comments here, I suspect my use case in particular is unique because I have 2FA set up on my Pixelbook for sign in. It doesn’t even show my account on the log in page so I have to type my email and password after bootup. And then there’s the U2F on top of that. With that setup, someone needs my password, my Pixelbook and my Yubikey for the 2FA. Because I keep the Yubikey separate, even in the unlikely event someone has my Pixelbook and my password, they can’t access it. Nor can they access my Google account (which is where all of my online passwords are stored) again because they don’t have the Yubikey. If the Pixelbook power button replaces the Yubikey for 2FA, then do have access to the device, my account and all of my passwords.

      That’s the most concrete example I can provide; hope that helps.

      Additionally (and I’m not saying it’s precisely related) Google has new disclaimer for using the Pixelbook button for U2F: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/1110058 Reason: “The experimental U2F implementation is recently drawing more attention, and users are stumbling upon various restrictions (including some that have security implications) that we intend to resolve before public launch. Make users aware of this by showing a
      warning message with the u2_flags command.”

      Again, may not be directly related but thought it was worth mentioning as I’m curious what security implications Google has found.

      Reply
      • July 5, 2018 at 2:58 pm
        Permalink

        > With that setup, someone needs my password, my Pixelbook and my Yubikey for the 2FA.

        I don’t think they need your Pixelbook at all. They can just take the Yubikey and the password and go do all this stuff on another computer, Chromebook or not. I think that’s where the disagreement comes from.

        If you were to switch to the power button U2F, this *would* make your Pixelbook required for access, replacing the YubiKey requirement.

        You could make the argument that the Pixelbook *might* have copies of your other passwords via the Google password manager, so the 2FA for accounts *other* than Google is weaker because the Pixelbook is a single point of access. I don’t quite know if the Google password manager does enough to prevent this — to make sure the passwords “live in your Google account” in your words, and not on the Pixelbook. But what I was saying above is that it’s a more complicated argument, and a tradeoff of password managers in general. For 2FA accounts where the password is not stored in a manager, like the Google account itself, the security of 2FA doesn’t seem to diminish with the switch to power button U2F.

        I read the u2f_flags warning as a general warning about beta, including bugs and usability issues, and not specifically about weaker security on a permanent basis.

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.