Google introduces Security Key for better 2-step verification

• Quentyn Kennemer
• 10 years ago

Google’s done a lot on their part to help strengthen web security. They urge users of their services to setup 2-step verification to ensure the only person accessing your account is you. Don’t know what 2-step verification is? This article should give you a nice idea, but the skinny of it is that you use your phone as a way for Google to prove that you’re the one signing into your account. Verification typically involves using a short security code sent to you via text message that you input when logging in.

But Google says even that isn’t enough — what if a malicious website is posing as an authentic Google site and you accidentally give them the verification code for your account? Well, that’s a tough luck situation in this current point and time, but Google’s introducing a new method that could solve that problem.

Security Key is the name of the feature, and it utilizes a small USB key that uses Universal 2nd Factor (a FIDO Alliance creation) to allow you to verify yourself by plugging it into your computer and giving it a little tap. This is possible thanks to U2F implementation in Chrome, so Google’s sites have been tricked out to “listen” for this tap and allow you to login without having to input a code. The USB key will only issue an encrypted signature after verifying that the site you’re logging into is a secure Google website. Here are the benefits laid out by Google:

• Better protection against phishing. With 2-Step Verification, Google requires something you know (your password) and something you have (like your phone) to sign in. Google sends a verification code to your phone when you try to sign in to confirm it’s you. However, sophisticated attackers could set up lookalike sites that ask you to provide your verification codes to them, instead of Google. Security Key offers better protection against this kind of attack, because it uses cryptography instead of verification codes and automatically works only with the website it’s supposed to work with.
• No mobile connection or batteries needed. Security Key works without a data connection, and you can carry it wherever you go on a keychain or in your wallet.

What’s more is that Google’s hoping this protocol will benefit more than just their own users. As Chrome has U2F compatibility built in they’ve ensured any site can use the technology to setup similar security measures. Google also hopes competitors will get on board — they want everyone on the web to be safe even if those folks don’t use their browser. Good guy, Google, good guy.

So what do you need? A U2F-capable USB key. You can find a couple of them on Amazon right now for relatively affordable prices so be sure to look into them if this is something that interests you. Beyond that, just make sure your Chrome browser is updated to version 38 and you’ll be able to use U2F for secure logins across all of Google’s services. This isn’t an excuse to completely dump the traditional 2-step verification method — many sites, browsers and devices won’t be compatible with U2F this early in the game — but this is a nice first step toward making the web a more scure place. Let’s hope others will get with the program in due time.

[via Google Security]