One of the best ways to improve the security of a Google account is to enable 2-step verification for it. The idea behind the feature is to combine the usual account username and password with local information tied to a mobile phone.
So, instead of having to enter your Google email and password to sign in to your account, you also need to enter a code that is generated on the fly when you sign in on untrusted devices.
Attackers who get hold of the username and password cannot sign in without that code.
Google announced support for Security Key today to improve 2-Step Verification further in some scenarios.
Instead of entering code generated by the smartphone you connect the Security Key device to your computer's USB port.
Here is technical explanation of how that is done:
At the core of the protocol, the U2F device has a capability (ideally, embodied in a secure element) which mints an origin-specific public/private key pair. The U2F device gives the public key and a Key Handle to the origin website during the user enrollment step. Later, when the user performs a login, the origin website sends the Key Handle back to the U2F device via the browser. The U2F device uses the Key Handle to identify the user’s private key and creates a signature which is sent back to the origin to verify the presence of the U2F device.
The method offers two distinct advantages over using the smartphone to generate a code:
There are downsides to this as well which need to be mentioned:
If you have a Security Key compatible device in your possession already, you can head over to the Google account 2-step verification page to set it up.
Note that you need to load that page in Chrome as you will get a message otherwise telling you that your browser is not supported by the feature.
Check out information about the U2F project on Google's Internet Identity Research website.
Please click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.
It’s a win-win feature : better security for the user and better tracking ability for Google since the user will hesitate before logging off from Google, hence here I am, here I stay, follow me.
I love it when it’s a benefit for all.
That Amazon page has two listed on it, so is it only two at this point? For example YubiKey’s site has many different keys and when I read their description I can’t always tell their difference to be honest.
I see four listed there right now and two of them are Yubikeys. According to Google, it is the Fido ready logo that is important.
Now I see three there but thanks Martin, I missed the Fido note.
1) Does it also work
in Google’s CHROMIUM browser?
2) Can you use this device
with only Google websites,
or
can it also be used
to be verified
with OTHER websites,
for ex: Dropbox, Evernote, etc…?
I cannot answer 1) but it is likely. As far as 2) is concerned, if a site supports it it can be used for that as well.
Looks too troublesome right now, at least for me for me who uses multiple computers and devices and only login on a need basis, including thunderbird and outlook will be too messy for my tastes.