By 
Google’s done a lot on their part to help strengthen web security. They urge users of their services to setup 2-step verification to ensure the only person accessing your account is you. Don’t know what 2-step verification is? This article should give you a nice idea, but the skinny of it is that you use your phone as a way for Google to prove that you’re the one signing into your account. Verification typically involves using a short security code sent to you via text message that you input when logging in.
But Google says even that isn’t enough — what if a malicious website is posing as an authentic Google site and you accidentally give them the verification code for your account? Well, that’s a tough luck situation in this current point and time, but Google’s introducing a new method that could solve that problem.
Security Key is the name of the feature, and it utilizes a small USB key that uses Universal 2nd Factor (a FIDO Alliance creation) to allow you to verify yourself by plugging it into your computer and giving it a little tap. This is possible thanks to U2F implementation in Chrome, so Google’s sites have been tricked out to “listen” for this tap and allow you to login without having to input a code. The USB key will only issue an encrypted signature after verifying that the site you’re logging into is a secure Google website. Here are the benefits laid out by Google:
- Better protection against phishing. With 2-Step Verification, Google requires something you know (your password) and something you have (like your phone) to sign in. Google sends a verification code to your phone when you try to sign in to confirm it’s you. However, sophisticated attackers could set up lookalike sites that ask you to provide your verification codes to them, instead of Google. Security Key offers better protection against this kind of attack, because it uses cryptography instead of verification codes and automatically works only with the website it’s supposed to work with.
- No mobile connection or batteries needed. Security Key works without a data connection, and you can carry it wherever you go on a keychain or in your wallet.
What’s more is that Google’s hoping this protocol will benefit more than just their own users. As Chrome has U2F compatibility built in they’ve ensured any site can use the technology to setup similar security measures. Google also hopes competitors will get on board — they want everyone on the web to be safe even if those folks don’t use their browser. Good guy, Google, good guy.
So what do you need? A U2F-capable USB key. You can find a couple of them on Amazon right now for relatively affordable prices so be sure to look into them if this is something that interests you. Beyond that, just make sure your Chrome browser is updated to version 38 and you’ll be able to use U2F for secure logins across all of Google’s services. This isn’t an excuse to completely dump the traditional 2-step verification method — many sites, browsers and devices won’t be compatible with U2F this early in the game — but this is a nice first step toward making the web a more scure place. Let’s hope others will get with the program in due time.
[via Google Security]
Nice! Not really sure I need one since I’m pretty good about verifying the authenticity of a link when opening from anywhere other than a trusted source. Will be very valuable for those less tech savvy.
Those that are less tech savvy probably don’t care about 2-step anyways.
You’re right, but the less tech savvy are the people who *should* care about it the most.
What about for mobile devices? This sounds like it works for desktop only.
This one has NFC:
http://www.amazon.com/gp/product/B00LX8KZZ8
This is great news for those that are security concious.
I don’t use Chrome. And Google Authenticator FTW!
Personally I rather not bother with more items to worry about so I’ll stick with the app (I say this on the day I lose my work dumb phone.)