CredSniper icon indicating copy to clipboard operation
CredSniper copied to clipboard

Published 20 hours ago verified publisher icon ustayready

Revisit and see if it's possible to setup a code-less Google or G Suite Account

Open nelsonjchen opened this issue 7 years ago • 4 comments

Love your talk at Cactuscon. It's a great checklist to start off with. This is a follow-up issue to the question I asked.

As we discussed, the U2F method verifies the domain name before it hands over the unique code. Credsniper can't fake that part. It was a bit incredible to see the claim that this handles "all" 2FA but a quick investigation shows that this just punts those to the user-entered codes such as SMS/TOTP.

The question is:

Is it possible to setup a code-less Google or G Suite Account? No backup codes, no TOTP, no SMS.

Possible approaches/ingredients:

  • Two U2F keys - I heard this is what they do internally at Google.
    • https://support.google.com/accounts/answer/6103523?co=GENIE.Platform%3DAndroid&hl=en#lost-security-key
  • Forcing U2F only validation on the G Suite Domain. Does this disable SMS/Backup Codes/TOTP?
    • https://support.google.com/a/answer/2548882?hl=en
    • Can this be applied to normal run of the mill Gmail accounts? Probably not since G Suite can cross-delegate practically.

nelsonjchen avatar Sep 29 '18 18:09 nelsonjchen

Also, how does this experience, if there are no codes, work on iOS and Android? What if we exempted 2FA only during setup and then enforced it afterwards?

nelsonjchen avatar Sep 29 '18 20:09 nelsonjchen

I also got a lot of this from here:

https://gweb-cloudblog-publish.appspot.com/products/g-suite/7-ways-admins-can-help-secure-accounts-against-phishing-g-suite/amp/

nelsonjchen avatar Sep 29 '18 20:09 nelsonjchen

https://blog.caffeinesecurity.com/fido-u2f-on-mac-and-ios-demystified-42318cc58fb

nelsonjchen avatar Oct 03 '18 14:10 nelsonjchen

It looks like it is possible. If you visit this link on a Gmail account, it's a very friendly wizard to get started to disable the codes. If you visit this link on a G Suite account, it'll punt the friendliness but it'll points to this page about setting up Advanced Protection for G Suite. I don't think the email scanning checkboxes mentioned there will work against that calendar phishing attack though but the "require security token" should be seriously effective.

https://myaccount.google.com/advanced-protection/enroll/details?pli=1

I think what's left is to see if these options can cause credsniper to totally fail.

nelsonjchen avatar Oct 03 '18 14:10 nelsonjchen