Google enables Security Key support for 2-Step Verification
One of the best ways to improve the security of a Google account is to enable 2-step verification for it. The idea behind the feature is to combine the usual account username and password with local information tied to a mobile phone.
So, instead of having to enter your Google email and password to sign in to your account, you also need to enter a code that is generated on the fly when you sign in on untrusted devices.
Attackers who get hold of the username and password cannot sign in without that code.
Google announced support for Security Key today to improve 2-Step Verification further in some scenarios.
Instead of entering code generated by the smartphone you connect the Security Key device to your computer's USB port.
Here is technical explanation of how that is done:
At the core of the protocol, the U2F device has a capability (ideally, embodied in a secure element) which mints an origin-specific public/private key pair. The U2F device gives the public key and a Key Handle to the origin website during the user enrollment step. Later, when the user performs a login, the origin website sends the Key Handle back to the U2F device via the browser. The U2F device uses the Key Handle to identify the user’s private key and creates a signature which is sent back to the origin to verify the presence of the U2F device.
The method offers two distinct advantages over using the smartphone to generate a code:
- The Security Key only works with websites that it is supposed to work with. It won't authenticate your account on phishing websites according to Google as it verifies the site you are on before it submits the extra code to it.
- It requires no extra battery or mobile connection, and no drivers need to be installed on the host system.
- You can use the verification code at any time as well according to Google. That's handy if you are signing in on a device that does not support USB or don't have the Security Key at hand at the time.
There are downsides to this as well which need to be mentioned:
- You cannot use it on devices that don't support USB. If you use mobile phones or tablets most of the time, you may not be able to use it as they may not have a USB port that you can connect the key to.
- You need a compatible device that you need to purchase. You cannot use just any USB Flash Drive for that. With that said, devices are cheap and start at about $6 over at Amazon.
- Security Key works only in Google Chrome at the time of writing. To be precise, it needs to be Chrome version 38 or newer on all supported operating systems.
If you have a Security Key compatible device in your possession already, you can head over to the Google account 2-step verification page to set it up.
Note that you need to load that page in Chrome as you will get a message otherwise telling you that your browser is not supported by the feature.
Check out information about the U2F project on Google's Internet Identity Research website.
We need your help
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
It’s a win-win feature : better security for the user and better tracking ability for Google since the user will hesitate before logging off from Google, hence here I am, here I stay, follow me.
I love it when it’s a benefit for all.
That Amazon page has two listed on it, so is it only two at this point? For example YubiKey’s site has many different keys and when I read their description I can’t always tell their difference to be honest.
I see four listed there right now and two of them are Yubikeys. According to Google, it is the Fido ready logo that is important.
Now I see three there but thanks Martin, I missed the Fido note.
1) Does it also work
in Google’s CHROMIUM browser?
2) Can you use this device
with only Google websites,
or
can it also be used
to be verified
with OTHER websites,
for ex: Dropbox, Evernote, etc…?
I cannot answer 1) but it is likely. As far as 2) is concerned, if a site supports it it can be used for that as well.
Looks too troublesome right now, at least for me for me who uses multiple computers and devices and only login on a need basis, including thunderbird and outlook will be too messy for my tastes.