Yes, the Pixelbook power button is a U2F key. Here’s why I wouldn’t use it.

A big story making the rounds over the past few days is how the power button of Google’s Pixelbook works as a two-factor authentication (2FA) key. From a technology perspective, this is admittedly interesting. Most hardware-based 2FA devices are just that: Separate devices, typically in the form of a USB key. I didn’t cover the story because I had a concerning question, but we’ll get to that in a minute.

When I worked for Google, I was issued a 2FA key. Whenever logging in to more secure internal sites and such, I’d have to pull the USB key (made by Yubikey) out, insert it into an open USB port on my computing device, and tap the gold part of the key for authentication. The key was registered to me, so it would only work when I was trying to log in to a site or app that required it. Put another way, nobody else could log in as me with my key unless they knew my password as well. I always kept the key attached to my Google badge instead of keeping it inserted into my computer.

With just two USB-C ports, the Pixelbook is a great candidate for some alternative to a USB key like I used. So, Google decided to use the hardware button. Clever, but…

Here’s the thing. Two-factor authentication requires two out of these three things: Something you know (like a password), something you have (a USB key, perhaps) and/or something you are, such as a registered Bluetooth phone or a valid fingerprint. These are all separate things to make it harder for someone who shouldn’t have access to a site or app to get that access.

I reached out to Lukas Karlsson, who was the first to write about the Pixelbook’s power button functionality, mainly because I didn’t see the two-factor separation offered by enabling the U2F feature.

After all, someone who knows your password and could get on your Pixelbook has two of the three authentication pieces because the second is built-in to the Pixelbook; namely the power button. To me, this is like having your personal PIN code printed on your ATM card.

When I asked Karlsson if the Pixelbook’s integrated 2FA feature allows someone with my password to gain access, even with 2FA enabled, he responded (emphasis mine):

Yes, your Pixelbook device itself becomes your second factor. If someone is able to steal both your password and your Pixelbook, then they can gain access to your account. If your Pixelbook goes missing, disable the U2F key immediately, just as you would if you lost your keychain and your Yubikey.

Based on my concern and Karlsson’s confirmation, there’s no way I’d enable 2FA with this particular method because it essentially eliminates the strength of a second authentication factor. Instead, I’d spend the money — around $50 or less — on an external key to be the “something you have” part of 2FA. It’s your call, of course, but using the Pixelbook hardware key seems more like 1.5 factor authentication (at best) to me.

Update: The original article indicated that Karlsson works for Google, which is not the case.

17 thoughts on “Yes, the Pixelbook power button is a U2F key. Here’s why I wouldn’t use it.

  • June 10, 2018 at 12:46 pm
    Permalink

    Yes, in this case it works as against phishing, not against someone in your physical vicinity. Still useful, though.

    Reply
    • June 10, 2018 at 12:48 pm
      Permalink

      Yup, for phishing, it makes sense. But I’d never beef up security against phishing by decreasing security from physical access.

      Reply
      • June 10, 2018 at 4:13 pm
        Permalink

        But there is no decrease in security for physical access. It’s just that you have to consider what is more likely: someone steals your Pixelbook and your password or your Yubikey and your password. And which one of those are you more likely to notice.
        I think Google is being pretty transparent that Chromebook becomes the second factor and you must treat it accordingly.

        Reply
        • June 10, 2018 at 6:45 pm
          Permalink

          Right, to me this feels like a variation on the same approach where your phone is the second factor: Google Authenticator, Facebook, iCloud, Microsoft Office, all treat your phone itself as the second factor device. We can have debates about whether a phone that you can fit into your pocket serves as a better second factor than a Chromebook that cannot, but I can see that some (many?) people can provide the same security assurances to their Chromebook as a phone or keychain; it seems appropriate to give them that option.

          Reply
  • June 10, 2018 at 3:15 pm
    Permalink

    I don’t think it’s meant to be 2FA for the Pixelbook. It’s a second factor for when you log into your Google account from another device. Say you get a new phone and log into your Google account. The Pixelbook can be used as a second factor for that login.

    Reply
    • June 10, 2018 at 9:26 pm
      Permalink

      I could only see this being useful as one of the things/devices used for second factor. Carrying Pixelbook with you everywhere you may need access to your Google account is not always practical. Let us wait and see how they are planning to implement this first. We may be surprised.

      Reply
  • June 10, 2018 at 8:45 pm
    Permalink

    I don’t understand – you think it’s easier to steal your laptop than your yubikey?

    Reply
    • June 10, 2018 at 8:48 pm
      Permalink

      Not at all. I think it’s safer to keep the laptop and YubiKey separate when not in use. That’s not possible if it’s integrated.

      Reply
      • June 11, 2018 at 12:54 pm
        Permalink

        I do not understand the argument. You could just look at it as a yubikey duct taped to your laptop. It feels like you’re equating your physical pixelbook to your password. If someone steals your pixelbook they haven’t stolen your password, same as when someone steals your yubikey they haven’t stolen your password either. Unless you’ve got something like Autologin setup. Plus your pixelbook is only one window into your Google account. If someone steals your yubikey and also know your password you’re fd either way since anyone can open a browser window on any device and login without triggering an alert (maybe a location alert). At least with the pixelbook you would notice a lot sooner if it’s missing.

        Reply
        • June 11, 2018 at 1:18 pm
          Permalink

          Leo, you’re absolutely correct: “You could just look at it as a yubikey duct taped to your laptop.” Yes, and who would do that and think they’ve *added* security? They’ve reduced it. Put another way: By physically separating the Yubikey (or any other 2FA mechanism), you’ve added a level of security as shown by my setup of 2FA upon sign-in / reboot. I could *give* you my Pixelbook (without using the power button as 2FA) as well as my Google creds and you still get nothing. No access, no data, no online passwords stored with Google, *nothing*. That’s inarguable. And I’ll reiterate: If you (or any other readers) are comfortable without 2FA or are OK with an integrated factor, I’m not saying you’re wrong for feeling that way. It’s absolutely your choice, of course. I’m just trying to make sure people have the right information to make an informed decision.

          Reply
      • June 12, 2018 at 8:17 pm
        Permalink

        How is it safer?
        The attacker could still log into your account from another computer if they have both your YubiKey and your password.
        They may not be able to log in to your Pixelbook, but they can effectively duplicate anything but local data by logging in to your account on a different chromebook and syncing, or just logging into a browser.
        I guess if you have more sensitive information in non-synced local data than you do in your Google account this could make sense, but that’s definitely not a typical risk profile for a Chromebook.

        Reply
        • June 12, 2018 at 9:27 pm
          Permalink

          That’s a great example. Since I don’t keep the Yubikey in the Chromebook, there’s next to zero chance that both my Chromebook and Yubikey would be stolen, but I’m realizing that I’m not like most Yubikey users who typically leave the key in their device. And since I use my Chromebook 7 days a week, I’d know really quickly if my Yubikey was missing (since I wouldn’t be able to use my device without one of the backup methods I have set up), so I’d revoke the key. Thanks!

          Reply
          • June 12, 2018 at 9:51 pm
            Permalink

            I think our difference comes from us talking about different things: logging in to the device or logging in to your google account. If logging in to your account, then having a (pixelbook) device as a second factor seems not to be a compromise from having a (YubiKey) device, but I agree that it wouldn’t protect logging in to your physical device as thoroughly.

  • June 11, 2018 at 2:50 am
    Permalink

    I would suggest using the Yubico Authenticator (YA) app instead of Google Authenticator for the numerous sites which don’t yet support Yubikeys. This makes your Yubikey your _only_ second factor, instead of having some sites use your phone’s storage as the second factor for those sites. It has the added benefit of making it such that you don’t have to set up MFA every time you change phones: the secrets stay on your Yubikey.

    I’m a bit over-cautious, and using YA lets me be even more secure: I use YA with a password that I tell it not to remember. This way, someone would need my Yubikey, as well as know my password for the account I’m trying to log into and the password for my Yubikey. And if it’s my Google account, they’d also need my Pixelbook (or another device from which I’d already logged in), or I’d get a notification that I’d signed in from a new device.

    Reply
  • June 11, 2018 at 10:38 am
    Permalink

    I think you are missing the point of this feature, it’s not for the extreme protection of corporate or government secrets, it is for the convenience of the everyday user. It is still very secure in the sense that someone on the internet cannot gain access to your accounts or information which is the concern of 99.999% of every day users of the pixelbook. The concern that you have it that someone steals or gains physical access to your laptop AND knows your password, which is basically your spouse or friend.

    Reply
    • June 11, 2018 at 11:23 am
      Permalink

      I totally get the convenience factor. And you’re correct: for someone to have both my password and device (especially if the 2FA method is integrated into the device) is unlikely. Here’s my concern, which admittedly is probably more than most every day users. I have my Chromebook set up for 2FA on every sign in. Convenient? No. Secure? Yes, because every reboot/shutdown requires both my ID, password and some *external* authentication process such as a text message number to enter or a Yubikey. I don’t leave Yubikeys in my devices because that’s bad security practice and defeats the main purpose of them. With 2FA integrated into the power button, I might as well not have it enabled it all because now, someone has access to not just my Google account but all of the stored passwords for every other online service stored with my Google account. If I keep the 2FA separate from the device (as in: not the power button), they have nothing: No Google account access, none of my other passwords and none of the local data on my Chromebook. Again, that’s probably not how most users think, so I agree with you there. I’m just not sure people understand the scope of the potential risk. And again, it’s all personal choice: I leave it up to others to make the best security decision for themselves.

      Reply
  • June 12, 2018 at 6:49 am
    Permalink

    I don’t think it is contradictory to say that using a convenience like treating a Chromebook power button as a factor in an authentication process can be at once “useful” (in a limited set of cases) and at the same time that employing such a convenience represents “bad security practice”.

    I think the opposed positions in this dispute centre around whether employing the power button convenience in 2FA is either a) not worse than normal with respect to security and better in certain respects or b) it is a fundamentally flawed security measure that violates essential features of genuine 2FA thus making things less secure. Now, once again, it is not hard to see that these two views need not be seen as sharply contradictory – perhaps, there is nothing in this new 2FA measure (or measure that somewhat resembles 2FA) that means Chromebook users are going to be facing security issues that aren’t already a part of the common (in)security landscape but Kevin Tofel is right that a debased version of 2FA is not what anyone who is serious about beefing up security could be happy with.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.