Google enables Security Key support for 2-Step Verification

Martin Brinkmann
Oct 21, 2014
Updated • Jan 4, 2018
Companies, Google
|
7

One of the best ways to improve the security of a Google account is to enable 2-step verification for it. The idea behind the feature is to combine the usual account username and password with local information tied to a mobile phone.

So, instead of having to enter your Google email and password to sign in to your account, you also need to enter a code that is generated on the fly when you sign in on untrusted devices.

Attackers who get hold of the username and password cannot sign in without that code.

Google announced support for Security Key today to improve 2-Step Verification further in some scenarios.

Instead of entering code generated by the smartphone you connect the Security Key device to your computer's USB port.

Here is technical explanation of how that is done:

At the core of the protocol, the U2F device has a capability (ideally, embodied in a secure element) which mints an origin-specific public/private key pair. The U2F device gives the public key and a Key Handle to the origin website during the user enrollment step. Later, when the user performs a login, the origin website sends the Key Handle  back to the U2F device via the browser. The U2F device uses the Key Handle to identify the user’s private key and creates a signature which is sent back to the origin to verify the presence of the U2F device.

google account security key The method offers two distinct advantages over using the smartphone to generate a code:

  1. The Security Key only works with websites that it is supposed to work with. It won't authenticate your account on phishing websites according to Google as it verifies the site you are on before it submits the extra code to it.
  2. It requires no extra battery or mobile connection, and no drivers need to be installed on the host system.
  3. You can use the verification code at any time as well according to Google. That's handy if you are signing in on a device that does not support USB or don't have the Security Key at hand at the time.

There are downsides to this as well which need to be mentioned:

  1. You cannot use it on devices that don't support USB. If you use mobile phones or tablets most of the time, you may not be able to use it as they may not have a USB port that you can connect the key to.
  2. You need a compatible device that you need to purchase. You cannot use just any USB Flash Drive for that. With that said, devices are cheap and start at about $6 over at Amazon.
  3. Security Key works only in Google Chrome at the time of writing. To be precise, it needs to be Chrome version 38 or newer on all supported operating systems.

If you have a Security Key compatible device in your possession already, you can head over to the Google account 2-step verification page to set it up.

Note that you need to load that page in Chrome as you will get a message otherwise telling you that your browser is not supported by the feature.

Check out information about the U2F project on Google's Internet Identity Research website.

Summary
Google enables Security Key support for 2-Step Verification
Article Name
Google enables Security Key support for 2-Step Verification
Description
Google has enabled Security Key support for 2-Step verification. It allows users to sign in using a USB key instead of a generated code on a mobile device.
Author
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Maou said on October 22, 2014 at 1:59 am
    Reply

    Looks too troublesome right now, at least for me for me who uses multiple computers and devices and only login on a need basis, including thunderbird and outlook will be too messy for my tastes.

  2. deltoid said on October 22, 2014 at 12:17 am
    Reply

    1) Does it also work
    in Google’s CHROMIUM browser?

    2) Can you use this device
    with only Google websites,
    or
    can it also be used
    to be verified
    with OTHER websites,
    for ex: Dropbox, Evernote, etc…?

    1. Martin Brinkmann said on October 22, 2014 at 12:33 am
      Reply

      I cannot answer 1) but it is likely. As far as 2) is concerned, if a site supports it it can be used for that as well.

  3. RG said on October 21, 2014 at 8:32 pm
    Reply

    That Amazon page has two listed on it, so is it only two at this point? For example YubiKey’s site has many different keys and when I read their description I can’t always tell their difference to be honest.

    1. Martin Brinkmann said on October 21, 2014 at 10:39 pm
      Reply

      I see four listed there right now and two of them are Yubikeys. According to Google, it is the Fido ready logo that is important.

      1. RG said on October 22, 2014 at 3:09 am
        Reply

        Now I see three there but thanks Martin, I missed the Fido note.

  4. Tom Hawack said on October 21, 2014 at 6:52 pm
    Reply

    It’s a win-win feature : better security for the user and better tracking ability for Google since the user will hesitate before logging off from Google, hence here I am, here I stay, follow me.

    I love it when it’s a benefit for all.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.