One of the best ways to improve the security of a Google account is to enable 2-step verification for it. The idea behind the feature is to combine the usual account username and password with local information tied to a mobile phone.
So, instead of having to enter your Google email and password to sign in to your account, you also need to enter a code that is generated on the fly when you sign in on untrusted devices.
Attackers who get hold of the username and password cannot sign in without that code.
Google announced support for Security Key today to improve 2-Step Verification further in some scenarios.
Instead of entering code generated by the smartphone you connect the Security Key device to your computer's USB port.
Here is technical explanation of how that is done:
At the core of the protocol, the U2F device has a capability (ideally, embodied in a secure element) which mints an origin-specific public/private key pair. The U2F device gives the public key and a Key Handle to the origin website during the user enrollment step. Later, when the user performs a login, the origin website sends the Key Handle back to the U2F device via the browser. The U2F device uses the Key Handle to identify the user’s private key and creates a signature which is sent back to the origin to verify the presence of the U2F device.
There are downsides to this as well which need to be mentioned:
If you have a Security Key compatible device in your possession already, you can head over to the Google account 2-step verification page to set it up.
Note that you need to load that page in Chrome as you will get a message otherwise telling you that your browser is not supported by the feature.
Check out information about the U2F project on Google's Internet Identity Research website.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.