Google enables Security Key support for 2-Step Verification - gHacks Tech News

ADVERTISEMENT

Google enables Security Key support for 2-Step Verification

by Martin Brinkmann on October 21, 2014 in Companies, Google - Last Update: January 04, 2018 - 7 comments

One of the best ways to improve the security of a Google account is to enable 2-step verification for it. The idea behind the feature is to combine the usual account username and password with local information tied to a mobile phone.

So, instead of having to enter your Google email and password to sign in to your account, you also need to enter a code that is generated on the fly when you sign in on untrusted devices.

Attackers who get hold of the username and password cannot sign in without that code.

Google announced support for Security Key today to improve 2-Step Verification further in some scenarios.

Instead of entering code generated by the smartphone you connect the Security Key device to your computer's USB port.

Here is technical explanation of how that is done:

At the core of the protocol, the U2F device has a capability (ideally, embodied in a secure element) which mints an origin-specific public/private key pair. The U2F device gives the public key and a Key Handle to the origin website during the user enrollment step. Later, when the user performs a login, the origin website sends the Key Handle  back to the U2F device via the browser. The U2F device uses the Key Handle to identify the user’s private key and creates a signature which is sent back to the origin to verify the presence of the U2F device.

google account security keyThe method offers two distinct advantages over using the smartphone to generate a code:

  1. The Security Key only works with websites that it is supposed to work with. It won't authenticate your account on phishing websites according to Google as it verifies the site you are on before it submits the extra code to it.
  2. It requires no extra battery or mobile connection, and no drivers need to be installed on the host system.
  3. You can use the verification code at any time as well according to Google. That's handy if you are signing in on a device that does not support USB or don't have the Security Key at hand at the time.

There are downsides to this as well which need to be mentioned:

  1. You cannot use it on devices that don't support USB. If you use mobile phones or tablets most of the time, you may not be able to use it as they may not have a USB port that you can connect the key to.
  2. You need a compatible device that you need to purchase. You cannot use just any USB Flash Drive for that. With that said, devices are cheap and start at about $6 over at Amazon.
  3. Security Key works only in Google Chrome at the time of writing. To be precise, it needs to be Chrome version 38 or newer on all supported operating systems.

If you have a Security Key compatible device in your possession already, you can head over to the Google account 2-step verification page to set it up.

Note that you need to load that page in Chrome as you will get a message otherwise telling you that your browser is not supported by the feature.

Check out information about the U2F project on Google's Internet Identity Research website.

Summary
Google enables Security Key support for 2-Step Verification
Article Name
Google enables Security Key support for 2-Step Verification
Description
Google has enabled Security Key support for 2-Step verification. It allows users to sign in using a USB key instead of a generated code on a mobile device.
Author
Advertisement

Previous Post: «
Next Post: »

Comments

  1. Tom Hawack said on October 21, 2014 at 6:52 pm
    Reply

    It’s a win-win feature : better security for the user and better tracking ability for Google since the user will hesitate before logging off from Google, hence here I am, here I stay, follow me.

    I love it when it’s a benefit for all.

  2. RG said on October 21, 2014 at 8:32 pm
    Reply

    That Amazon page has two listed on it, so is it only two at this point? For example YubiKey’s site has many different keys and when I read their description I can’t always tell their difference to be honest.

    1. Martin Brinkmann said on October 21, 2014 at 10:39 pm
      Reply

      I see four listed there right now and two of them are Yubikeys. According to Google, it is the Fido ready logo that is important.

      1. RG said on October 22, 2014 at 3:09 am
        Reply

        Now I see three there but thanks Martin, I missed the Fido note.

  3. deltoid said on October 22, 2014 at 12:17 am
    Reply

    1) Does it also work
    in Google’s CHROMIUM browser?

    2) Can you use this device
    with only Google websites,
    or
    can it also be used
    to be verified
    with OTHER websites,
    for ex: Dropbox, Evernote, etc…?

    1. Martin Brinkmann said on October 22, 2014 at 12:33 am
      Reply

      I cannot answer 1) but it is likely. As far as 2) is concerned, if a site supports it it can be used for that as well.

  4. Maou said on October 22, 2014 at 1:59 am
    Reply

    Looks too troublesome right now, at least for me for me who uses multiple computers and devices and only login on a need basis, including thunderbird and outlook will be too messy for my tastes.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.

Advertisement

Spread the Word

Ghacks Newsletter Sign Up

Please click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up

Advertisement

Popular Posts

Advertisement

Recently Updated

This Day in History

Advertisement

About gHacks

Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.

© 2019 gHacks Technology News. All Rights Reserved.