On 5/6/20 1:58 PM, Doug wrote:
I am not a security expert. I certainly would not notice the 2FA versus 2SV although now I see it is a real thing. What really impressed me and got me to take out the credit card after I read the article was that Google required all employees to use a Yubikey to do their day-to-day jobs.
Google is an extremely high value target. Google needs (and apparently has) better security than do most countries.
If I were running Google security I would put a *lot* of effort into securing end points. That is, I would put effort into making sure no malware got onto employee computers. I would not let employees install whatever Chinese or Russian or American software they wanted, I would tell them to use their own computers for their own purposes.
I would demand employees to treat their work security as if it were one of the most important things in their lives. I would do stuff (e.g., dedicated computer) that does not scale across the rest of employees' lives' security needs.
Assembling that security would be a lot of work, I don't know the details, but it might well involve Yubikeys. But if it did, I doubt I would allow employees to commingle their Google Yubikey with personal use.
It would easy to cargo-cult copy a few things visible from the outside, but very hard for others to duplicate in a real way.
-kb _______________________________________________ Discuss mailing list Discuss@lists.blu.org http://lists.blu.org/mailman/listinfo/discuss
